Advanced Connection Options
From FarmShare
Line 8: | Line 8: | ||
It is possible to enable forwarding by adding the ssh option '''GSSAPIDelegateCredentials''' to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended: | It is possible to enable forwarding by adding the ssh option '''GSSAPIDelegateCredentials''' to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended: | ||
- | <pre>Host cardinal cardinal? | + | <pre>Host cardinal cardinal? corn corn?? |
- | + | ||
- | + | ||
- | + | ||
HostName %h.stanford.edu | HostName %h.stanford.edu | ||
Line 21: | Line 18: | ||
This configuration should work safely in all common cases for both cardinal and corn systems. | This configuration should work safely in all common cases for both cardinal and corn systems. | ||
- | See the man page for ssh_config for more information on GSSAPI options. | + | See the man page for ssh_config for more information on GSSAPI options. |
After you successfully connect to the destination host, use 'klist -f' to see which Kerberos credentials got forwarded. | After you successfully connect to the destination host, use 'klist -f' to see which Kerberos credentials got forwarded. |
Revision as of 00:39, 1 February 2012
Public Key Authentication
Public key authentication is not supported by FarmShare systems. However...
GSSAPI (Kerberos) Authentication
FarmShare systems do support password-less authentication using GSSAPI. The default configuration of OpenSSH uses GSSAPI for authentication if a valid Kerberos ticket is present but does not forward tickets to the remote system, which can cause problems with AFS.
It is possible to enable forwarding by adding the ssh option GSSAPIDelegateCredentials to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended:
Host cardinal cardinal? corn corn?? HostName %h.stanford.edu Host cardinal cardinal? cardinal*.stanford.edu corn corn?? corn*.stanford.edu GSSAPIKeyExchange yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
This configuration should work safely in all common cases for both cardinal and corn systems.
See the man page for ssh_config for more information on GSSAPI options.
After you successfully connect to the destination host, use 'klist -f' to see which Kerberos credentials got forwarded.