welcome: please sign in

Diff for "MemberManual/ShellAccess/PasswordlessLogin"

Differences between revisions 11 and 19 (spanning 8 versions)
Revision 11 as of 2007-06-05 02:50:45
Size: 1641
Editor: AdamMegacz
Comment:
Revision 19 as of 2008-03-08 01:02:40
Size: 2981
Comment: add debugging tip, re-arrange troubleshooting section a bit and update email address for help to hcoop-help.
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
== How to log in to mire without typing your password == #pragma section-numbers off
Line 3: Line 3:
Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the {{{krb5-user}}} package if you are using Debian or Ubuntu. This page explains how to log in to our servers without having to type in a password. We use kerberos for this rather than RSA/DSA public keys.
Line 5: Line 5:
An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process.
Line 6: Line 7:
Then, you must obtain kerberos tickets. If your username is "fred", you would do this by typing [[TableOfContents]]

= Prerequisites =

You must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the {{{krb5-user}}} package if you are using Debian or Ubuntu. For Mac OS X 10.3 and later no additional software is required for the instructions below to work. For further details, check out ["MemberManual/TransferringFiles/OpenAFS"], and follow just the Kerberos instructions.

= Instructions =

Once a Kerberos client hsa been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing:
Line 8: Line 18:
   kinit fred@HCOOP.NET kinit fred@HCOOP.NET
Line 11: Line 21:
Then type your password when prompted. Note that you MUST capitalize HCOOP.NET and you MUST NOT capitalize your user name. This is important. Then type your password when prompted. Note that you '''must''' capitalize HCOOP.NET and you '''must not''' capitalize your user name. This is important.
Line 14: Line 24:
Line 15: Line 26:
   klist klist
Line 17: Line 28:
Line 20: Line 32:
Line 21: Line 34:
   ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' mire.hcoop.net ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' fred@mire.hcoop.net
Line 23: Line 36:
Line 25: Line 39:
If that doesn't work, add "`-vvv`" to the command line and copy and paste the ENTIRE output into an email to hcoop-discuss and we'll tell you what's up.
Line 27: Line 40:
If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts (make sure you only enable it for HCOOP hosts).  Here's what AdamMegacz uses:
= Automating things =

If you do this a lot, you can include the `GSSAPIAuthentication` and `GSSAPIDelegateCredentials` options in your `~/.ssh/config` file. But you should NOT turn on `GSSAPIDelegateCredentials` for arbitrary hosts (make sure you only enable it for HCOOP hosts).

Here is an example entry for `~/.ssh/config`:
Line 30: Line 48:
Host deleuze.hcoop.net
  ForwardX11Trusted yes
Host mire.hcoop.net
Line 34: Line 51:
  User megacz_admin
Host mire.hcoop.net
  ForwardX11Trusted yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  User megacz_admin
  User fred
Line 42: Line 54:
== If it doesn't work == This will allow you to type the following, instead of the longer command above.
Line 44: Line 56:
See TroubleshootingKerberos {{{
ssh fred@mire.hcoop.net
}}}

= Troubleshooting =

Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information.

If you see something like the following in the output:

{{{
debug1: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database
}}}

check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using.

== If it still doesn't work ==

See the [:MemberManual/ShellAccess/TroubleshootingKerberos:Troubleshooting Kerberos] page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there.

This page explains how to log in to our servers without having to type in a password. We use kerberos for this rather than RSA/DSA public keys.

An extra benefit is that passwordless logins using kerberos are noticably faster than passwordless logins using public key authentication. This is because kerberos uses symmetric cryptography (which is faster) and requires fewer round-trips during the authentication process.

TableOfContents

Prerequisites

You must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the krb5-user package if you are using Debian or Ubuntu. For Mac OS X 10.3 and later no additional software is required for the instructions below to work. For further details, check out ["MemberManual/TransferringFiles/OpenAFS"], and follow just the Kerberos instructions.

Instructions

Once a Kerberos client hsa been installed, you must obtain Kerberos tickets. If your username is "fred", you would do this by typing:

kinit fred@HCOOP.NET

Then type your password when prompted. Note that you must capitalize HCOOP.NET and you must not capitalize your user name. This is important.

Next, make sure you have your tickets. To do this, type

klist

You should see your tickets and their expiration dates.

Last, type

ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' fred@mire.hcoop.net

(GSSAPI is sort of like Kerberos. Don't worry about the difference at this point.)

Automating things

If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your ~/.ssh/config file. But you should NOT turn on GSSAPIDelegateCredentials for arbitrary hosts (make sure you only enable it for HCOOP hosts).

Here is an example entry for ~/.ssh/config:

Host mire.hcoop.net
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  User fred

This will allow you to type the following, instead of the longer command above.

ssh fred@mire.hcoop.net

Troubleshooting

Adding "-vvv" to the ssh command line makes it spit out lots of useful debugging information.

If you see something like the following in the output:

debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

check to see if you have an /etc/hosts file with the host that you're trying to reach in it. If there is an entry for this host, make sure that the fully-qualified domain name is listed first, before any aliases that you may be using.

If it still doesn't work

See the [:MemberManual/ShellAccess/TroubleshootingKerberos:Troubleshooting Kerberos] page for more diagnostics. You may also send the output of your ssh command with the "'-vvv'" to hcoop-help and we'll try to figure things out from there.

MemberManual/ShellAccess/PasswordlessLogin (last edited 2021-10-17 03:04:21 by RobinTempleton)