Monday, 14 June 2010

Kerberos & SSH at CERN

Quick blog posting to save me having to explain to people what's needed:

1) RTFM: http://linux.web.cern.ch/linux/docs/kerberos-access.shtml -- thats where most of the good debugging tips are

2) to get it working between say your ubuntu laptop and cern hosts you'll need to append
allow_weak_crypto = true
to /etc/krb5.conf [libdefaults] section. (see bug)

3) make life easy and put a few things in your ~/.ssh/config

host *
Protocol 2
VerifyHostKeyDNS yes
VisualHostKey yes
GSSAPIAuthentication yes
PreferredAuthentications gssapi-with-mic,publickey

host lxplus
hostname lxplus.cern.ch
ForwardAgent yes
GSSAPIDelegateCredentials yes
GSSAPITrustDNS yes

(despite what the man page says there are NO SPACES between the options in PreferredAuthentications (see SSH bug 1702)

No comments: