Secure Shell (SSH) for Unix
Important, Please Note! As of Nov. 26, 2007, ssh access via ssh Protocol 1 (ssh1) will be disabled at SLAC.
ssh Protocol 2 (ssh2) for Glast Linux Users
Modern Linux/unix installations (e.g., RHEL4, OS X Tiger) already have all the software needed to use Protocol 2 effectively. This section details the recommended procedures for setting up ssh2 on your machine in order to access machines at SLAC.
Prerequisites
- To see what version you've got, issue the command:
ssh -V
Note: For best results from SLAC public machines, verify that you're using /usr/local/bin/ssh by, e.g., issuing:
which ssh
If you find that you are not using /usr/local/bin/ssh, you may want to adjust your PATH environment variable.
Verify that the kerberos kinit command is available, by issuing the command:
| |
kinit --version |
| or |
|
| |
which kinit |
| |
| to make sure it's there. |
Files
If you don't already have one, make a file called .k5login in your home directory in SLAC afs space. If you'll be logging in from a remote Linux machine, make an identical one there. The file should contain a single line:
myusername@SLAC.STANFORD.EDU
Note: Observe that SLAC.STANFORD.EDU must be in UPPERCASE.
All examples used in this procedure are correct as shown.
where myusername is replaced by your actual SLAC username.
If you'll be logging in from a remote Linux machine, on that machine make a file called config in your .ssh directory containing these lines:
GSSAPIAuthentication yes
# Specifies whether user authentication based on GSSAPI is allowed.
# The default is ``no''. Note that this option applies to protocol
# version 2 only.
GSSAPIDelegateCredentials yes
### Forward (delegate) credentials to the server. The default is
# ``no''. Note that this option applies to protocol version 2
# only. |
| Note:Lines starting with # are comments so not actually required. |
If you'll be logging in from a remote Linux machine, copy the file /etc/krb5.conf from a SLAC unix machine to the remote machine or, if such a file already exists, you might want to merge SLAC-specific information into the existing one.
You need to be root in order to write to /etc; if you don't have sufficient privilege on the remote machine you will have to talk to someone who does.
Procedure
If you are working:
From a SLAC machine and you wish to ssh, or scp, or whatever, at the start of your work day type:
kinit
From non-SLAC machines, type:
kinit myusername@SLAC.STANFORD.EDU
Note: Observe that SLAC.STANFORD.EDU must be in UPPERCASE. All examples used in this procedure are correct
as shown.
You will be prompted for your password.
Notes:
- Passwords. After entering your password once, you can ssh to a SLAC machine and you will immediately be logged in and have an afs token. You can also scp files to or from SLAC, or use cvs and you will not be prompted for a password.
- Running X Applications Remotely. If you wish to log onto a SLAC machine and run X applications remotely, you might need to modify your ssh command to include a -Y flag like this:
ssh -Y noric.slac.stanford.edu
Note: Observe upper and lower case. All examples used in this procedure are correct as shown.
References
See The NEW Secure Shell (SSH) at SLAC, and refer to the first two sections under Using SSH, titled:
- Between UNIX machines at SLAC
and
- Between a SLAC machine and a non-SLAC machine.
End of SSH for Unix procedure.
| Last updated by: Joanne Bogart 11/14/2007 |
|
|
