Shell Access

Can I use an ssh public key to log in?

SSH public key authentication will not work. This is a consequence of using Kerberos and AFS. However, you can obtain tickets and tokens on your personal computer (i.e. the machine you're sitting in front of), and use those tickets to log in to mire without using a password. For more information, see MemberManual/ShellAccess/PasswordlessLogin.

If you would like to know why things are this way, please see MemberManual/DistributedSecurity. The "short" answer is that sshd public key authentication only works when the fileservers grant admin access to anybody with root access to any of the shell servers; this is a major security risk that we do not take.

How do I run a shell session for a long time on mire?

If you want to have a long-running session with or without screen, there are simple ways to avoid AFS permission denied errors due to expiring tokens.

If you don't use screen, just pay attention to the kinit and krenew commands. krenew can be a daemon by using the -b argument.

# Once screen has loaded (or you have begun a regular shell session),
# then execute the following commands, or place them in a script.
kinit -l 10d
krenew -K 540 -t -b

This will last until the ticket can no longer be renewed (approximately 8 days). However, you can kinit and krenew again while in the screen session to restart the clock. If the ticket expires while in a screen session, then you need to repeat those steps while in screen but be sure to add aklog for AFS ticket. You do not have to restart the screen session. In fact, you can dedicate a screen window just for monitoring and using kinit, aklog, and krenew. With this simple method, your screen session can run indefinitely with minimal weekly input.

Reference: MemberManual/TransferringFiles/OpenAFS/Debian