KerberizedSSH < IT

IT Web>DesktopSupport>KerberizedSSH (2009-02-13, AndrewPickford) (raw view)
---+ Kerberized SSH

At FNAL Kerberized openssh is built for the FNAL flavour of Scientific Linux http://www-oss.fnal.gov/projects/fermilinux/common/kerberos.html.  The kerberized openssh packages built by FNAL have the same name and occupy the same file positions as the normal openssh.  Therefore on a normal Scientific LINUX machine where the FNAL build of openssh is installed any update of openssh will overwrite the FNAL RPM.  To get around this problem the openssh RPM was built with a prefix and a different package name.  The common and clients packages from this build

<pre>
kerberized-openssh
kerberized-openssh-clients
</pre>
are installed on every PPE desktop system.  They can also be installed on PPE laptops as needed.

----

To use kerberized ssh:

1. Source one of the scripts depending on your shell<sup>1</sup>.  For example a bash user would:
<pre>
source /usr/fermi/kerberized-ssh/scripts/kerberized-ssh.sh
</pre>

2. Generate a kerberos ticket.
<pre>
kinit user
</pre>

3. Connect to a remote machine.
<pre>
ssh machine
</pre>

----

(1) - After one of these scripts has been sourced users will be unable to use kerberos to access CERN's central cvs repository.  Before trying to access CERN's repository unset KRB5_CONFIG via

<pre>
unset KRB5_CONFIG
</pre>

for bash users or

<pre>
unsetenv KRB5_CONFIG
</pre>

for tcsh users.


-- Main.AndrewPickford - 13 Feb 2009
Topic revision: r1 - 2009-02-13 - AndrewPickford