Index

Subject : Re: LUG: Automatic authentication to EOS remote servers

From : Jack Neely <jjneely@ncsu.[redacted]>

Date : Mon, 27 Jul 2009 15:31:49 -0400

Parent


On Fri, Jul 24, 2009 at 07:16:02PM -0400, Daniel Underwood wrote:
> Hey folks:
>
> I'm aware that public-key authentication won't work with EOS remote
> servers (e.g., remote-linux.eos.ncsu.edu). But surely (read: hopefully)
> it's possible to setup a client to automatically authenticate with the
> servers. Anyone know a solution?

*nod* SSH keys wont work. Its a bit of a chicken or the egg problem.

There is another solution, but its more clunky. The SSH server can be
setup to accept kerberos tickets forwarded from the client. So your
local machine has to be a realm box (or have enough kerberos configured)
and the destination machine needs to be a realm box with extra
configuration. It basically needs its own kerberos principle, which is
something we don't normally do for security reasons.

However, once the GSSAPI auth works, you still have to manually turn
your kerberos tickets into AFS tokens. So, its not much of a solution
either. Needless to say, we don't support it either.

>
> Because I know practically nothing about kerberos authentication, this
> may be a *dumb* question to those who are in the know. Pardon my
> ignorance. :)

Asking questions is good. Its how folks learn. AKA: There are no
stupid questions, only inquisitive idiots. :-)

We don't support passwordless SSH logins. Using passwordless SSH logins
can also create very difficult to track security issues. I don't
recommend their use either which has become part of our security policy.

HTH,
Jack Neely

>

--
Jack Neely <jjneely@ncsu.[redacted]>
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89