Monday, 14 June 2010

Kerberos & SSH at CERN

Quick blog posting to save me having to explain to people what's needed:

1) RTFM: -- thats where most of the good debugging tips are

2) to get it working between say your ubuntu laptop and cern hosts you'll need to append
allow_weak_crypto = true
to /etc/krb5.conf [libdefaults] section. (see bug)

3) make life easy and put a few things in your ~/.ssh/config

host *
Protocol 2
VerifyHostKeyDNS yes
VisualHostKey yes
GSSAPIAuthentication yes
PreferredAuthentications gssapi-with-mic,publickey

host lxplus
ForwardAgent yes
GSSAPIDelegateCredentials yes

(despite what the man page says there are NO SPACES between the options in PreferredAuthentications (see SSH bug 1702)

No comments: