ssh-copy-id

I normally have my ~/.ssh/config so that it only uses my key or gssapi to login to other sites, however this poses a problem when reinstalling a server and don't yet have my key on it

ssh -F /dev/null root@hostname

works, but this wasn't working with ssh-copy-id.

Turns out that the ssh-copy-id script is braindead and only expects one or two (with the 1st beginning with -i) arguments.

lo and behold, some single quotes did the trick:

aelwell@pcitgtelwell:~$ ssh-copy-id '-F /dev/null root@concerto'
Are you sure you want to continue connecting (yes/no)? yes
root@concerto's password:
Now try logging into the machine, with "ssh '-F /dev/null root@concerto'", and check in: ....

tada!

Kerberos & SSH at CERN

Quick blog posting to save me having to explain to people what's needed:

1) RTFM: http://linux.web.cern.ch/linux/docs/kerberos-access.shtml -- thats where most of the good debugging tips are

2) to get it working between say your ubuntu laptop and cern hosts you'll need to append

allow_weak_crypto = true

to /etc/krb5.conf [libdefaults] section. (see bug)

3) make life easy and put a few things in your ~/.ssh/config

host *
        Protocol 2
        VerifyHostKeyDNS yes
        VisualHostKey yes
        GSSAPIAuthentication yes
        PreferredAuthentications gssapi-with-mic,publickey

host lxplus
        hostname lxplus.cern.ch
        ForwardAgent yes
        GSSAPIDelegateCredentials yes
        GSSAPITrustDNS yes

(despite what the man page says there are NO SPACES between the options in PreferredAuthentications (see SSH bug 1702)