Advanced Connection Options

From FarmShare

(Difference between revisions)
Jump to: navigation, search
m (Two-factor Authentication)
Line 36: Line 36:
After you successfully connect to the destination host, use '''klist -f''' to see which Kerberos credentials got forwarded.
After you successfully connect to the destination host, use '''klist -f''' to see which Kerberos credentials got forwarded.
-
=== Two-factor Authentication ===
+
== Two-factor Authentication ==
In order to avoid having to 'Duo' every time you want to open a new terminal to corn we have a work around. Add the following lines to your ~/.ssh/config file on your local machine (not on FarmShare) to enable ControlMaster which will create a tunnel on your first login, and will re-use the same tunnel on subsequent connections, thus avoiding Duo after the initial connection. This will only work if you are logging into the same node to which the tunnel was established. Once you are logged onto a corn node, hopping(ssh) to any other corn will '''not''' require Duo again. [[Main Page#Duo_Two-Factor]]
In order to avoid having to 'Duo' every time you want to open a new terminal to corn we have a work around. Add the following lines to your ~/.ssh/config file on your local machine (not on FarmShare) to enable ControlMaster which will create a tunnel on your first login, and will re-use the same tunnel on subsequent connections, thus avoiding Duo after the initial connection. This will only work if you are logging into the same node to which the tunnel was established. Once you are logged onto a corn node, hopping(ssh) to any other corn will '''not''' require Duo again. [[Main Page#Duo_Two-Factor]]

Revision as of 13:27, 23 June 2015

Contents

Public Key Authentication

Public key authentication is not supported by FarmShare systems. However...

GSSAPI (Kerberos) Authentication

FarmShare systems do support password-less authentication using GSSAPI.

OpenSSH (Linux, Mac OS X)

The default configuration of OpenSSH uses GSSAPI for authentication if a valid Kerberos ticket is present but does not forward tickets to the remote system, which can cause problems with AFS.

It is possible to enable forwarding by adding the ssh option GSSAPIDelegateCredentials to ~/.ssh/config, but you should do so only for trusted computers. Something like the following is recommended:

Host cardinal cardinal? corn corn?? rye rye?? barley barley??
    HostName %h.stanford.edu

Host cardinal cardinal? cardinal*.stanford.edu corn corn?? corn*.stanford.edu rye rye?? rye*.stanford.edu barley barley?? barley*.stanford.edu
    GSSAPIKeyExchange yes
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

This configuration should work safely in all common cases for both cardinal and corn systems. The barley systems are included here, but connecting directly to these is discouraged except for the purpose of troubleshooting jobs.

See the man page for ssh_config for more information on GSSAPI options.

PuTTY

PuTTY supports GSSAPI authentication as of version 0.61; it also attempts to use GSSAPI by default but does not forward tickets. To enable forwarding: select Connection -> SSH -> Auth -> GSSAPI -> Allow GSSAPI credential delegation.

SecureCRT

You can enable GSSAPI authentication in SecureCRT's Session Options dialog, in category Connection -> SSH2. Make sure Authentication -> GSSAPI and Key exchange -> Kerberos (Group Exchange) and/or Key exchange -> Kerberos are checked. SecureCRT attempts authentication and key exchange methods in the order listed, so these methods should be moved to the top of their stacks.

Verifying Credentials

After you successfully connect to the destination host, use klist -f to see which Kerberos credentials got forwarded.

Two-factor Authentication

In order to avoid having to 'Duo' every time you want to open a new terminal to corn we have a work around. Add the following lines to your ~/.ssh/config file on your local machine (not on FarmShare) to enable ControlMaster which will create a tunnel on your first login, and will re-use the same tunnel on subsequent connections, thus avoiding Duo after the initial connection. This will only work if you are logging into the same node to which the tunnel was established. Once you are logged onto a corn node, hopping(ssh) to any other corn will not require Duo again. Main Page#Duo_Two-Factor

Host corn corn?? corn.stanford.edu corn??.stanford.edu
 ControlMaster auto
 ControlPath ~/.ssh/%r@%h:%p
 ControlPersist yes
Personal tools
Toolbox
LANGUAGES