Advanced Connection Options
From FarmShare
(Added section on keep-alive) |
|||
Line 1: | Line 1: | ||
== Public Key Authentication == | == Public Key Authentication == | ||
- | Public key authentication is not supported by FarmShare systems | + | Public key authentication is not supported by FarmShare systems. |
== GSSAPI (Kerberos) Authentication == | == GSSAPI (Kerberos) Authentication == | ||
Line 13: | Line 13: | ||
It is possible to enable forwarding by adding the ssh option '''GSSAPIDelegateCredentials''' to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended: | It is possible to enable forwarding by adding the ssh option '''GSSAPIDelegateCredentials''' to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended: | ||
- | Host cardinal cardinal? corn corn?? rye rye | + | Host rice rice?? cardinal cardinal? corn corn?? rye rye?? |
HostName %h.stanford.edu | HostName %h.stanford.edu | ||
- | Host cardinal cardinal? cardinal.stanford.edu cardinal?.stanford.edu | + | Host rice rice?? rice.stanford.edu rice??.stanford.edu corn cardinal cardinal? cardinal.stanford.edu cardinal?.stanford.edu corn?? corn.stanford.edu corn?.stanford.edu rye rye?? rye.stanford.edu rye??.stanford.edu barley?? barley??.stanford.edu |
+ | GSSAPIDelegateCredentials yes | ||
+ | Host * | ||
GSSAPIKeyExchange yes | GSSAPIKeyExchange yes | ||
GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
- | |||
- | |||
- | This configuration should work safely in all common cases | + | This configuration should work safely in all common cases. |
- | See the man page for ssh_config for more information on GSSAPI options. | + | See the <code>man</code> page for <code>ssh_config</code> for more information on GSSAPI options. |
=== PuTTY === | === PuTTY === | ||
Line 35: | Line 35: | ||
=== Verifying Credentials === | === Verifying Credentials === | ||
- | After you successfully connect to the destination host, use | + | After you successfully connect to the destination host, use <code>klist -f</code> to see which Kerberos credentials got forwarded. |
== Two-factor Authentication == | == Two-factor Authentication == | ||
- | + | Add the following lines to your <code>~/.ssh/config</code> file on your local machine (not on FarmShare) to enable ControlMaster which will create a tunnel on your first login, and will re-use the same tunnel on subsequent connections, thus avoiding 2-step after the initial connection. This will only work if you are logging into the same node to which the tunnel was established. | |
- | Host corn corn?? corn.stanford.edu corn??.stanford.edu | + | Host rice rice?? rice.stanford.edu rice??.stanford.edu corn corn?? corn.stanford.edu corn??.stanford.edu |
ControlMaster auto | ControlMaster auto | ||
ControlPath ~/.ssh/%r@%h:%p | ControlPath ~/.ssh/%r@%h:%p |
Revision as of 12:59, 21 August 2017
Contents |
Public Key Authentication
Public key authentication is not supported by FarmShare systems.
GSSAPI (Kerberos) Authentication
FarmShare systems do support password-less authentication using GSSAPI.
OpenSSH (Linux, Mac OS X)
The default configuration of OpenSSH uses GSSAPI for authentication if a valid Kerberos ticket is present but does not forward tickets to the remote system, which can cause problems with AFS.
It is possible to enable forwarding by adding the ssh option GSSAPIDelegateCredentials to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended:
Host rice rice?? cardinal cardinal? corn corn?? rye rye?? HostName %h.stanford.edu Host rice rice?? rice.stanford.edu rice??.stanford.edu corn cardinal cardinal? cardinal.stanford.edu cardinal?.stanford.edu corn?? corn.stanford.edu corn?.stanford.edu rye rye?? rye.stanford.edu rye??.stanford.edu barley?? barley??.stanford.edu GSSAPIDelegateCredentials yes Host * GSSAPIKeyExchange yes GSSAPIAuthentication yes
This configuration should work safely in all common cases.
See the man
page for ssh_config
for more information on GSSAPI options.
PuTTY
PuTTY supports GSSAPI authentication as of version 0.61; it also attempts to use GSSAPI by default but does not forward tickets. To enable forwarding: select Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI credential delegation.
SecureCRT
You can enable GSSAPI authentication in SecureCRT's Session Options dialog, in category Connection -> SSH2. Make sure Authentication -> GSSAPI and Key exchange -> Kerberos (Group Exchange) and/or Key exchange -> Kerberos are checked. SecureCRT attempts authentication and key exchange methods in the order listed, so these methods should be moved to the top of their stacks.
Verifying Credentials
After you successfully connect to the destination host, use klist -f
to see which Kerberos credentials got forwarded.
Two-factor Authentication
Add the following lines to your ~/.ssh/config
file on your local machine (not on FarmShare) to enable ControlMaster which will create a tunnel on your first login, and will re-use the same tunnel on subsequent connections, thus avoiding 2-step after the initial connection. This will only work if you are logging into the same node to which the tunnel was established.
Host rice rice?? rice.stanford.edu rice??.stanford.edu corn corn?? corn.stanford.edu corn??.stanford.edu ControlMaster auto ControlPath ~/.ssh/%r@%h:%p ControlPersist yes
Keep-alive
You can actively keep a session alive by adding the following line to any Host statement:
ServerAliveInterval 60