...
SSH between a non-SLAC machine and a SLAC machine
You can ssh from offsite to rhel6-64, iris, or centos7. You will be prompted for your SLAC password. This method works fine.
If you want to use "passwordless" authenticationIf you have an AFS home directory on your SLAC linux computer, using ssh host keys will not be very useful since that will not provide you with an AFS token. If you have an AFS home directory on your SLAC linux computer, you will get logged in, but you will not have write access since you do not get an AFS token. Instead of ssh host keys, you can use Kerberos (GSSAPI) Authentication by doing the following:
Turn on GSSAPI options in your ~/.ssh/config file.
Code Block # Specifies whether user authentication based on GSSAPI is allowed. GSSAPIAuthentication yes # Forward (delegate) credentials to the server. GSSAPIDelegateCredentials yes
On your non-SLAC machine:
Code Block kinit --renewable userid@SLAC.STANFORD.EDU ssh userid@machine.slac.stanford.edu
replace 'userid' with your SLAC username, and replace 'machine' with a slac machine (eg, centos7.slac.stanford.edu).
Then each time before you ssh (or at least once per day), renew your Kerberos ticket with this command:
Code Block kinit --renew
You can run the 'klist' command on your remote machine to view your Kerberos ticket:
Code Block klist
'klist -v' will show more details.
Now you can ssh to slac using Kerberos GSSAPI Authentication:
Code Block ssh userid@machine.slac.stanford.edu
If your ssh attempt to SLAC just hangs for a long time, that probably means your Kerberos ticket has expired. You can run 'klist' to verify that. You can run 'kdestroy' and then your ssh attempt won't hang (but you will be prompted to authenticate using a password).