Versions Compared

Old Version 24

changes.mady.by.user Karl Amrhein

Saved on

compared with

New Version 25

changes.mady.by.user John Bartelt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents:

Table of Contents

 


...

Login Nodes

The following machines can be used for remote SSH access to SLAC:

Load-balanced HostnameOperating System
centos7.slac.stanford.eduCentOS 7.x
rhel6-64.slac.stanford.eduRed Hat Enterprise Linux 6.x
iris.slac.stanford.eduRed Hat Enterprise Linux 6.x

 


Example usage:

Code Block
languagetext
ssh centos7.slac.stanford.edu

...

SSH is capable of forwarding X11 through the connection. This will be slow when you are connecting from a non-SLAC network. To display SLAC X11 / GUI applications to your remote desktop or laptop, we have FastX and NoMachine available. For more information on FastX, see https://confluence.slac.stanford.edu/display/SCSPub/FastX and https://www.starnet.com/fastx/ .  For NoMachine, see NoMachine .

FastX works for LAN or WAN access, and is optimized for Remote Linux X Windows, and can be used if the default SSH X11 tunneling does not provide adequate performance.

...

  1. Turn on GSSAPI options in your ~/.ssh/config file.

    Code Block
    # Specifies whether user authentication based on GSSAPI is allowed.
GSSAPIAuthentication yes

# Forward (delegate) credentials to the server.                   
GSSAPIDelegateCredentials yes

  2. On your non-SLAC machine:

    Code Block
    languagebash
    kinit --renew userid@SLAC.STANFORD.EDU || kinit --renewable userid@SLAC.STANFORD.EDU

    OR

    Code Block
    kinit -R userid@SLAC.STANFORD.EDU || kinit -r 7d userid@SLAC.STANFORD.EDU


    replace 'userid' with your SLAC username, and replace 'machine' with a slac machine (eg, centos7.slac.stanford.edu). Note: the version of 'kinit' on your machine may have different options, please see your local documentation (eg, 'man kinit' or 'kinit --help'

  3. Then each time before you ssh (or at least once per day), renew your Kerberos ticket with this command (if the renew fails, then you will be prompted to enter your password to get a new Kerberos ticket). As long as your ticket remains renewable and hasn't expired, you can renew it for a longer period without having to enter your password again.

    Code Block
    kinit --renew userid@SLAC.STANFORD.EDU || kinit --renewable userid@SLAC.STANFORD.EDU

    OR

    Code Block
    kinit -R userid@SLAC.STANFORD.EDU || kinit -r 7d userid@SLAC.STANFORD.EDU


    Note: the version of 'kinit' on your machine may have different options, please see your local documentation (eg, 'man kinit' or 'kinit --help' 


  4. You can run the 'klist' command on your remote machine to view your Kerberos ticket:

    Code Block
    klist

    'klist -v' will show more details.

  5. Now you can ssh to slac using Kerberos GSSAPI Authentication:

    Code Block
    ssh userid@machine.slac.stanford.edu

  6. After you ssh to SLAC, you can run the 'tokens' command to verify you have an AFS token:

    Code Block
    tokens

  7. After you ssh to SLAC, you can renew your afs token with this command

    Code Block
    kinit && aklog

...