Advanced Connection Options
From FarmShare
Line 12: | Line 12: | ||
It is possible to enable forwarding by adding the ssh option '''GSSAPIDelegateCredentials''' to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended: | It is possible to enable forwarding by adding the ssh option '''GSSAPIDelegateCredentials''' to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended: | ||
- | <pre>Host cardinal cardinal? corn corn?? | + | <pre>Host cardinal cardinal? corn corn?? barley barley?? |
HostName %h.stanford.edu | HostName %h.stanford.edu | ||
- | Host cardinal cardinal? cardinal*.stanford.edu corn corn?? corn*.stanford.edu | + | Host cardinal cardinal? cardinal*.stanford.edu corn corn?? corn*.stanford.edu barley barley?? barley*.stanford.edu |
GSSAPIKeyExchange yes | GSSAPIKeyExchange yes | ||
GSSAPIAuthentication yes | GSSAPIAuthentication yes | ||
GSSAPIDelegateCredentials yes | GSSAPIDelegateCredentials yes | ||
</pre> | </pre> | ||
- | This configuration should work safely in all common cases for both cardinal and corn systems. | + | This configuration should work safely in all common cases for both cardinal and corn systems. The barley systems are included here, but connecting directly to these is discouraged except for the purpose of troubleshooting jobs. |
- | See the man page for ssh_config for more information on GSSAPI options. | + | See the man page for ssh_config for more information on GSSAPI options. |
=== PuTTY === | === PuTTY === |
Revision as of 10:40, 7 February 2012
Contents |
Public Key Authentication
Public key authentication is not supported by FarmShare systems. However...
GSSAPI (Kerberos) Authentication
FarmShare systems do support password-less authentication using GSSAPI.
OpenSSH (Linux, Mac OS X)
The default configuration of OpenSSH uses GSSAPI for authentication if a valid Kerberos ticket is present but does not forward tickets to the remote system, which can cause problems with AFS.
It is possible to enable forwarding by adding the ssh option GSSAPIDelegateCredentials to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended:
Host cardinal cardinal? corn corn?? barley barley?? HostName %h.stanford.edu Host cardinal cardinal? cardinal*.stanford.edu corn corn?? corn*.stanford.edu barley barley?? barley*.stanford.edu GSSAPIKeyExchange yes GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
This configuration should work safely in all common cases for both cardinal and corn systems. The barley systems are included here, but connecting directly to these is discouraged except for the purpose of troubleshooting jobs.
See the man page for ssh_config for more information on GSSAPI options.
PuTTY
PuTTY supports GSSAPI authentication as of version 0.61; it also attempts to use GSSAPI by default but does not forward tickets. To enable forwarding: select Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI credential delegation.
SecureCRT
You can enable GSSAPI authentication in SecureCRT's Session Options dialog, in category Connection -> SSH2. Make sure Authentication -> GSSAPI and Key exchange -> Kerberos (Group Exchange) and/or Key exchange -> Kerberos are checked. SecureCRT attempts authentication and key exchange methods in the order listed, so these methods should be moved to the top of their stacks.
Verifying Credentials
After you successfully connect to the destination host, use klist -f to see which Kerberos credentials got forwarded.