welcome: please sign in

Diff for "MemberManual/ShellAccess/PasswordlessLogin"

Differences between revisions 7 and 13 (spanning 6 versions)
Revision 7 as of 2007-06-03 01:29:58
Size: 1783
Editor: netblock-68-183-25-2
Comment:
Revision 13 as of 2007-11-12 04:14:58
Size: 1686
Editor: MichaelOlson
Comment: Make part of member manual
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from PasswordlessLogin
Line 2: Line 3:

Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees.

First, you must make sure that your `/etc/krb5.conf` (or, on MacOS, your `/Library/Preferences/edu.mit.Kerberos` file) is sane. All you need to do is make sure that there are NOT entries in there which disable the `dns_lookup_kdc` or `dns_lookup_realm` options (unfortunately Fedora ships with these crippled). If you don't see those options in the file, you're fine.		 Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the {{{krb5-user}}} package if you are using Debian or Ubuntu.
Line 8: Line 6:
Line 11: Line 10:
Line 15: Line 13:
Line 21: Line 20:
Line 22: Line 22:
   ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' mire.hcoop.net    ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' fred@mire.hcoop.net
Line 24: Line 24:
(GSSAPI is sort of like Kerberos. Don't worry about the difference at this point.)
Line 40: Line 42:
== If it doesn't work ==
See TroubleshootingKerberos

1. How to log in to mire without typing your password

Zeroth, you must have openssh client 4.3 or later. Other versions may work, but we make no guarantees. You will also want the krb5-user package if you are using Debian or Ubuntu.

Then, you must obtain kerberos tickets. If your username is "fred", you would do this by typing 

   kinit fred@HCOOP.NET

Then type your password when prompted. Note that you MUST capitalize HCOOP.NET and you MUST NOT capitalize your user name. This is important.

Next, make sure you have your tickets. To do this, type 

   klist

You should see your tickets and their expiration dates.

Last, type 

   ssh -o 'GSSAPIAuthentication yes' -o 'GSSAPIDelegateCredentials yes' fred@mire.hcoop.net

(GSSAPI is sort of like Kerberos. Don't worry about the difference at this point.)

If that doesn't work, add "-vvv" to the command line and copy and paste the ENTIRE output into an email to hcoop-discuss and we'll tell you what's up.

If you do this a lot, you can include the GSSAPIAuthentication and GSSAPIDelegateCredentials options in your .ssh/config file. But you should NOT turn on GSSAPIDelegateCredentials for arbitrary hosts (make sure you only enable it for HCOOP hosts). Here's what AdamMegacz uses: 

Host deleuze.hcoop.net
  ForwardX11Trusted yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  User megacz_admin
Host mire.hcoop.net
  ForwardX11Trusted yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  User megacz_admin

2. If it doesn't work

See TroubleshootingKerberos

MemberManual/ShellAccess/PasswordlessLogin (last edited 2021-10-17 03:04:21 by RobinTempleton)