welcome: please sign in

The following 332 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
1b   5a   5c   8a   8c   above   ac   Access   add   Adding   additional   after   aliases   allow   also   an   An   and   any   apt   arbitrary   Are   are   asked   asks   authenticated   Authentication   authentication   authenticity   Automating   bc   be   because   been   before   below   benefit   But   but   by   can   capitalize   Category   cause   certain   check   client   code   command   config   connecting   Contents   continue   Coop   copy   Credentials   cryptography   cumbersome   d7   database   dates   debug1   debugging   Delegate   described   details   diagnostics   Distributed   distributions   dnf   do   does   doesn   doing   domain   during   e1   earlier   ef   enable   entrust   entry   established   etc   ever   example   exchange   expiration   explains   extra   f7   f9   failure   faster   Fedora   feel   fewer   figure   file   Files   fingerprint   first   follow   following   For   for   found   fred   freezes   from   fully   further   generic   get   given   guarantees   guix   Guix   has   Hat   have   having   hcoop   help   Here   Host   host   hosts   how   identity   if   If   Important   in   inactivity   include   information   install   Installation   installed   instead   instructions   Instructions   invocation   is   it   just   kerberos   Kerberos   key   keys   kinit   klist   known   krb5   Last   later   like   likely   line   Linux   list   listed   ll   log   logins   longer   looks   lot   lots   Mac   machine   Macintosh   main   major   Make   make   makes   Manual   may   Member   message   might   min   Minor   minor   Mit   mit   more   must   name   Name   need   Needs   net   never   Next   no   none   not   noticably   obtain   Of   of   On   on   Once   once   only   Open   openssh   operated   option   options   or   other   Other   our   out   output   package   packages   page   password   passwordless   permanently   platforms   please   Ports   Prerequisites   procedures   process   prompted   protocols   prove   provide   public   qualified   rather   re   reach   reason   Red   reports   required   requires   round   safe   second   Security   see   See   send   Server   servers   Session   Shell   should   so   software   somebody   something   spit   ssh   still   store   sudo   support   sure   symmetric   Table   tells   tested   than   that   The   the   their   Then   there   There   These   things   This   this   tickets   to   To   Transferring   trips   Troubleshooting   Trust   try   trying   turn   Type   type   typing   Ubuntu   unduly   unix   Unspecified   Upon   use   useful   User   user   username   uses   using   variants   various   version   versions   vvv   want   We   we   when   which   will   with   without   work   Work   workstation   would   yes   you   You   your   yourself  

Clear message
Edit

MemberManual / ShellAccess / PasswordlessLogin

This page explains how to log in to our servers without having to type in a password. We use MitKerberos for this rather than RSA/DSA public keys. The main reason for doing so is MemberManual/DistributedSecurity; please see that page if you feel that the procedures described below are unduly cumbersome.

An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process.

These instructions have been tested with the major unix variants (Debian, RedHat, Fedora, Ubuntu, MacOSX, etc). There are reports that the ssh client in certain minor distributions does not support this.

Contents

  1. Prerequisites
    1. On a Macintosh
    2. On Ubuntu or Debian GNU/Linux
    3. On Fedora GNU/Linux
    4. On GNU Guix
  2. Instructions
  3. Automating things
  4. Troubleshooting
    1. Session freezes after ~5 min of inactivity
    2. If it still doesn't work

Prerequisites

Installation instructions for various platforms are given below:

On a Macintosh

For OS X 10.5 and later, no additional software is required for the instructions below to work; earlier versions of Mac OS X might work if you install the MacPorts version of kerberos+ssh (but no guarantees!). For further details, check out MemberManual/TransferringFiles/OpenAFS, and follow just the Kerberos instructions.

On Ubuntu or Debian GNU/Linux

You need the openssh-client and krb5-user packages: 

sudo apt-get install openssh-client krb5-user

On Fedora GNU/Linux

You will need the krb5-workstation package: 

dnf -y install krb5-workstation

On GNU Guix

You will need the mit-krb5 package: 

guix install mit-krb5

Instructions

Once a Kerberos client has been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing: 

kinit -f fred@HCOOP.NET

Then type your password when prompted.

Next, make sure you have your tickets. To do this, type 

klist

You should see your tickets and their expiration dates.

Last, type 

ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes fred@ssh.hcoop.net

GSSAPI is the "generic name" for Kerberos-like authentication protocols. The first option tells your ssh client to use your Kerberos tickets to prove your identity to the hcoop servers. The second option tells your ssh client that it is safe to entrust the hcoop servers with a copy of your tickets once you have authenticated. If it still asks you for a password, you might have to add the -oGSSAPITrustDNS=yes option.

Upon first invocation you might be asked to add the RSA public key of ssh.hcoop.net to the list of known hosts. This message looks something like this: 

The authenticity of host 'ssh.hcoop.net (69.90.123.68)' can't be established.
RSA key fingerprint is 52:5c:8c:f7:d7:bc:1b:f9:ef:39:5a:27:ac:72:8a:e1.
Are you sure you want to continue connecting (yes/no)?

Type yes to permanently store the fingerprint in ~/.ssh/known_hosts .

Automating things

If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your ~/.ssh/config file. But you should not turn on GSSAPIDelegateCredentials for arbitrary hosts. Make sure you only enable it for HCoop hosts! You should never, ever use GSSAPIDelegateCredentials on a machine which is operated by somebody other than yourself and HCoop.

Here is an example entry for ~/.ssh/config: 

Host hcoop
  HostName ssh.hcoop.net
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPITrustDNS yes
  User fred

This will allow you to type the following, instead of the longer command above. 

ssh hcoop

Troubleshooting

Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information.

If you see something like the following in the output: 

debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using.

Session freezes after ~5 min of inactivity

The likely cause is that you are trying to exchange Kerberos tickets and have none.

If it still doesn't work

See the Troubleshooting Kerberos page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there.

CategoryMemberManual CategoryNeedsWork

MemberManual/ShellAccess/PasswordlessLogin (last edited 2021-10-17 03:04:21 by RobinTempleton)