Ssh using kerberos

Revision as of 12:59, 9 July 2007 by Teuben (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

In the (simple) old-style ssh you would pass around your public key (from ~/.ssh: or as generated using the ssh-keygen program) and store it on the remote machine in a file ~/.ssh/authorized_keys. After this ssh would allow you to logon to that machine without the need to type your password.

Since GLUE is using kerberos, this won't work anymore. Your client machine will have to be modified to know about the GLUE kerberos system. On linux machines you should modify two files:


       default_realm = UMD.EDU
       dns_lookup_kdc = true
       dns_lookup_realm = true


   GSSAPIAuthentication          yes
   GSSAPIDelegateCredentials     yes

After this the kinit command is used to authenticate you, and whenever you logon to a GLUE machine, it will let you in. With one minor hickup, if you write shell scripts that do automated ssh logon, manually do this once, since you will see the usual question when it's a new machine and it be added to your ~/.ssh/known_hosts file.

Actually, isn't there another major hickup....??? Once you run klist, it is only good for 24 hours. Or if you set another lifetime, e.g. 2 days using

   kinit -l 2d
Personal tools