You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Table of Contents:

 

Login Nodes

The following machines can be used for remote SSH access to SLAC:

Load-balanced HostnameOperating System
centos7.slac.stanford.eduCentOS 7.x
rhel6-64.slac.stanford.eduRed Hat Enterprise Linux 6.x
iris.slac.stanford.eduRed Hat Enterprise Linux 6.x

 

Example usage:

ssh centos7.slac.stanford.edu

You can add your username to the login command like this:

ssh centos7.slac.stanford.edu -l username

(replace "username" with your actual SLAC username.

X11 GUI access

SSH is capable of forwarding X11 through the connection. This will be slow when you are connecting from a non-SLAC network. To display SLAC X11 / GUI applications to your remote desktop or laptop, we have FastX available. For more information, see https://confluence.slac.stanford.edu/display/SCSPub/FastX and https://www.starnet.com/fastx/ .

FastX works for LAN or WAN access, and is optimized for Remote Linux X Windows, and can be used if the default SSH X11 tunneling does not provide adequate performance.

Data Transfer Nodes (DTN)

ssh and scp are not the most optimized tool for large data transfers. bbcp and/or globus are better choices. There are two Data Transfer Nodes available for this:

dtn01.slac.stanford.edu
dtn02.slac.stanford.edu

For more information, see https://confluence.slac.stanford.edu/display/SCSPub/Transferring+Data .

SSH between a non-SLAC machine and a SLAC machine

You can ssh from offsite to rhel6-64, iris, or centos7.  You will be prompted for your SLAC password. This method works fine.

If you want to use "passwordless" authentication, using ssh host keys will not be very useful since that will not provide you with an AFS token. If you have an AFS home directory on your SLAC linux computer, you will get logged in, but you will not have write access since you do not get an AFS token.  Instead of ssh host keys, you can use Kerberos (GSSAPI) Authentication by doing the following:

  1. Turn on GSSAPI options in your ~/.ssh/config file.

    # Specifies whether user authentication based on GSSAPI is allowed.
GSSAPIAuthentication yes

# Forward (delegate) credentials to the server.                   
GSSAPIDelegateCredentials yes

  2. On your non-SLAC machine:

    kinit --renew || kinit --renewable userid@SLAC.STANFORD.EDU

    replace 'userid' with your SLAC username, and replace 'machine' with a slac machine (eg, centos7.slac.stanford.edu).

  3. Then each time before you ssh (or at least once per day), renew your Kerberos ticket with this command (if the renew fails, then you will be prompted to enter your password to get a new Kerberos ticket). As long as your ticket remains renewable and hasn't expired, you can renew it for a longer period without having to enter your password again.

    kinit --renew || kinit --renewable userid@SLAC.STANFORD.EDU

  4. You can run the 'klist' command on your remote machine to view your Kerberos ticket:

    klist

    'klist -v' will show more details.

  5. Now you can ssh to slac using Kerberos GSSAPI Authentication:

    ssh userid@machine.slac.stanford.edu

If your ssh attempt to SLAC just hangs for a long time, that probably means your Kerberos ticket has expired.  You can run 'klist' to verify that.  You can run 'kdestroy' and then your ssh attempt won't hang (but you will be prompted to authenticate using a password).

  • No labels