...
Turn on GSSAPI options in your ~/.ssh/config file.
Code Block # Specifies whether user authentication based on GSSAPI is allowed. GSSAPIAuthentication yes # Forward (delegate) credentials to the server. GSSAPIDelegateCredentials yes
On your non-SLAC machine:
Code Block kinit --renew userid@SLAC.STANFORD.EDU || kinit --renewable userid@SLAC.STANFORD.EDUreplace 'userid' with your SLAC username, and replace 'machine' with a slac machine (eg, centos7.slac.stanford.edu).
Then each time before you ssh (or at least once per day), renew your Kerberos ticket with this command (if the renew fails, then you will be prompted to enter your password to get a new Kerberos ticket). As long as your ticket remains renewable and hasn't expired, you can renew it for a longer period without having to enter your password again.
Code Block kinit --renew userid@SLAC.STANFORD.EDU || kinit --renewable userid@SLAC.STANFORD.EDUYou can run the 'klist' command on your remote machine to view your Kerberos ticket:
Code Block klist
'klist -v' will show more details.
Now you can ssh to slac using Kerberos GSSAPI Authentication:
Code Block ssh userid@machine.slac.stanford.edu
After you ssh to SLAC, you can run the 'tokens' command to verify you have an AFS token:
Code Block tokens
After you ssh to SLAC, you can renew your afs token with this command
Code Block kinit
If the 'tokens' command on a SLAC machines does not show an AFS token after you run the 'kinit' command on a SLAC machine, then you can run 'aklog' on the SLAC machine to get an AFS token from your Kerberos ticket:
Code Block aklog && aklog
If your ssh attempt to SLAC just hangs for a long time, or you are prompted for your password, that probably means your Kerberos ticket has expired. You can run 'klist' to verify that. You can run 'kdestroy' and then your ssh attempt won't hang (but you will be prompted to authenticate using a password).