Page History

SSH and Shared Accounts

Previously SLAC used a locally customized version of SSH that supported forwarding AFS tokens during login. Unfortunately, the latest versions of OpenSSH make maintaining these set of patches and keeping our software current very difficult. We are switching to a new version of ssh that supports Kerberos TGT forwarding and using this forwarded ticket to obtain an AFS token at login. This will make many things much easier and simpler in the future, but leaves us with a difficult transition period as the behavior of one of the most commonly used tools changes.

Accessing Shared Accounts

The new version will require you to use ssh version 2 to take advantage of the TGT forwarding and automatically get an afs token when logging into a shared access or role account. Version 1 rsa key based connections will continue to be supported until sometime in December 2007, but only a GSSAPI or kerberos login will get you an automatic AFS token on login. Due to DOE computer security requirements ssh version 1 will have to be phased out by 2008.