...
Turn on GSSAPI options in your ~/.ssh/config file.
Code Block # Specifies whether user authentication based on GSSAPI is allowed. GSSAPIAuthentication yes # Forward (delegate) credentials to the server. GSSAPIDelegateCredentials yes
On your non-SLAC machine:
Code Block kinit --renew || kinit --renewable userid@SLAC.STANFORD.EDU
replace 'userid' with your SLAC username, and replace 'machine' with a slac machine (eg, centos7.slac.stanford.edu).
Then each time before you ssh (or at least once per day), renew your Kerberos ticket with this command :(if the renew fails, then you will be prompted to enter your password to get a new Kerberos ticket). As long as your ticket remains renewable and hasn't expired, you can renew it for a longer period without having to enter your password again.
Code Block kinit --renew || kinit --renewable userid@SLAC.STANFORD.EDU
You can run the 'klist' command on your remote machine to view your Kerberos ticket:
Code Block klist
'klist -v' will show more details.
Now you can ssh to slac using Kerberos GSSAPI Authentication:
Code Block ssh userid@machine.slac.stanford.edu
...