Advanced Connection Options
From FarmShare
Line 11: | Line 11: | ||
On macOS and Linux systems you can enable GSSAPI by adding the following lines to <code>~/.ssh/config</code> on your local system. | On macOS and Linux systems you can enable GSSAPI by adding the following lines to <code>~/.ssh/config</code> on your local system. | ||
- | + | GSSAPIKeyExchange yes | |
- | GSSAPIKeyExchange yes | + | GSSAPIAuthentication yes |
- | GSSAPIAuthentication yes | + | |
- | + | ||
In some cases GSSAPI authentication may be enabled by default, but <code>ssh</code> will not forward your Kerberos ticket to the remote system. This can be inconvenient, especially in the legacy FarmShare environment, or when you expect to access [[AFS]] on <code>rice</code>. You can enable forwarding by adding <code>GSSAPIDelegateCredentials yes</code> to <code>~/.ssh/config</code>, but you should do so ''only'' for trusted systems; to restrict the option, add it to a <code>Host</code> block: | In some cases GSSAPI authentication may be enabled by default, but <code>ssh</code> will not forward your Kerberos ticket to the remote system. This can be inconvenient, especially in the legacy FarmShare environment, or when you expect to access [[AFS]] on <code>rice</code>. You can enable forwarding by adding <code>GSSAPIDelegateCredentials yes</code> to <code>~/.ssh/config</code>, but you should do so ''only'' for trusted systems; to restrict the option, add it to a <code>Host</code> block: | ||
- | + | Host rice rice.stanford.edu rice?? rice??.stanford.edu cardinal cardinal.stanford.edu cardinal? cardinal?.stanford.edu | |
- | Host rice rice.stanford.edu rice?? rice??.stanford.edu cardinal cardinal.stanford.edu cardinal? cardinal?.stanford.edu | + | GSSAPIDelegateCredentials yes |
- | + | ||
- | + | ||
See the <code>man</code> page for <code>ssh_config</code> for more information on GSSAPI options. | See the <code>man</code> page for <code>ssh_config</code> for more information on GSSAPI options. | ||
Line 37: | Line 33: | ||
You can avoid some of the inconvenience of two-step authentication using <code>ssh</code> multiplexing. This feature creates a master session on initial connection to a particular host; subsequent sessions reuse the existing connection as a tunnel, so no further authentication is required. The master session can be configured to remain open even after you have closed the initial connection using the <code>ControlPersist</code> option. Add the following lines to <code>~/.ssh/config</code> file on your local system to enable multiplexing. | You can avoid some of the inconvenience of two-step authentication using <code>ssh</code> multiplexing. This feature creates a master session on initial connection to a particular host; subsequent sessions reuse the existing connection as a tunnel, so no further authentication is required. The master session can be configured to remain open even after you have closed the initial connection using the <code>ControlPersist</code> option. Add the following lines to <code>~/.ssh/config</code> file on your local system to enable multiplexing. | ||
- | + | ControlMaster auto | |
- | ControlMaster auto | + | ControlPath ~/.ssh/%r@%h:%p |
- | ControlPath ~/.ssh/%r@%h:%p | + | ControlPersist yes |
- | ControlPersist yes | + | |
- | + | ||
PuTTY and SecureCRT support multiplexing, but do not support <code>ControlPersist</code>, so the feature is of less utility for this purpose on Windows systems. | PuTTY and SecureCRT support multiplexing, but do not support <code>ControlPersist</code>, so the feature is of less utility for this purpose on Windows systems. | ||
Line 53: | Line 47: | ||
Add the following line to <code>~/.ssh/config</code> on your local system. | Add the following line to <code>~/.ssh/config</code> on your local system. | ||
- | + | ServerAliveInterval 60 | |
=== PuTTY === | === PuTTY === | ||
Line 67: | Line 61: | ||
The options described above are here collected into a configuration that should be safe and convenient for most users connecting from macOS and Linux systems. | The options described above are here collected into a configuration that should be safe and convenient for most users connecting from macOS and Linux systems. | ||
+ | <pre> | ||
# ~/.ssh/config | # ~/.ssh/config | ||
Line 96: | Line 91: | ||
GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
ServerAliveInterval 60 | ServerAliveInterval 60 | ||
- | </ | + | </pre> |
Revision as of 13:25, 14 September 2017
Contents |
Public Key Authentication
Public key authentication is not supported on FarmShare systems.
GSSAPI Authentication
FarmShare systems do support password-less authentication using GSSAPI if you have a valid Kerberos ticket for the stanford.edu
realm.
OpenSSH
On macOS and Linux systems you can enable GSSAPI by adding the following lines to ~/.ssh/config
on your local system.
GSSAPIKeyExchange yes GSSAPIAuthentication yes
In some cases GSSAPI authentication may be enabled by default, but ssh
will not forward your Kerberos ticket to the remote system. This can be inconvenient, especially in the legacy FarmShare environment, or when you expect to access AFS on rice
. You can enable forwarding by adding GSSAPIDelegateCredentials yes
to ~/.ssh/config
, but you should do so only for trusted systems; to restrict the option, add it to a Host
block:
Host rice rice.stanford.edu rice?? rice??.stanford.edu cardinal cardinal.stanford.edu cardinal? cardinal?.stanford.edu GSSAPIDelegateCredentials yes
See the man
page for ssh_config
for more information on GSSAPI options.
PuTTY
PuTTY supports GSSAPI authentication by default; to enable forwarding, select Connection
→ SSH → Auth
→ GSSAPI
→ Allow GSSAPI credential delegation
.
SecureCRT
SecureCRT supports GSSAPI authentication, but it is disabled by default. To enable GSSAPI, open the Session Options dialog and select Connection
→ SSH2
→ Authentication
→ GSSAPI
and Connection
→ SSH2
→ Authentication
→ Key exchange
→ Kerberos (Group Exchange)
. SecureCRT attempts authentication and key exchange methods in the order listed, so these methods should be moved to the top of their respective stacks. Delegation is enabled by default when GSSAPI authentication is selected.
Two-step Authentication
You can avoid some of the inconvenience of two-step authentication using ssh
multiplexing. This feature creates a master session on initial connection to a particular host; subsequent sessions reuse the existing connection as a tunnel, so no further authentication is required. The master session can be configured to remain open even after you have closed the initial connection using the ControlPersist
option. Add the following lines to ~/.ssh/config
file on your local system to enable multiplexing.
ControlMaster auto ControlPath ~/.ssh/%r@%h:%p ControlPersist yes
PuTTY and SecureCRT support multiplexing, but do not support ControlPersist
, so the feature is of less utility for this purpose on Windows systems.
Keep-alive
A connection that is left open but idle might be closed after some time. Many SSH clients have a keep-alive feature that can be used to prevent idle disconnections.
OpenSSH
Add the following line to ~/.ssh/config
on your local system.
ServerAliveInterval 60
PuTTY
Select Connection
→ Sending of null packets to keep session active
→ Seconds between keepalives (0 to turn off) 60
and Connection
→ Low-level TCP connection options
→ Enable TCP keepalives (SO_KEEPALIVE option)
.
SecureCRT
In the Session Options dialog, select Terminal
→ Anti-idle
→ Send protocol NO-OP every 60 seconds
.
Suggested OpenSSH Configuration
The options described above are here collected into a configuration that should be safe and convenient for most users connecting from macOS and Linux systems.
# ~/.ssh/config # FarmShare 2 Host rice rice?? cardinal cardinal? HostName %h.stanford.edu Host rice rice.stanford.edu rice?? rice??.stanford.edu cardinal cardinal.stanford.edu cardinal? cardinal?.stanford.edu ControlMaster auto ControlPersist yes GSSAPIDelegateCredentials yes # Legacy FarmShare Host corn corn?? rye rye?? HostName %h.stanford.edu Host corn corn.stanford.edu corn?? corn??.stanford.edu rye rye.stanford.edu rye?? rye??.stanford.edu ControlMaster auto ControlPersist yes GSSAPIDelegateCredentials yes # General Configuration Host * ControlPath ~/.ssh/%r@%h:%p GSSAPIKeyExchange yes GSSAPIAuthentication yes ServerAliveInterval 60