How to Setup ssh key or password-less Logins

Kerberos authentication is strongly recommended !

Kerberos Authentication Test

First, ensure that kerberos authentication works on your machine. If you need to set it up, see these instructions. To test, do

kinit <your lxplus username>@CERN.CH

and check if klist -f shows "F" in the flags section.

if your site cannot configure kerberos, then you can also put this in your login scripts after ATLAS_LOCAL_ROOT_BASE is defined:

(bash or zsh)
    export KRB5_CONFIG=$ATLAS_LOCAL_ROOT_BASE/user/krb5.conf
(tcsh)
     setenv KRB5_CONFIG $ATLAS_LOCAL_ROOT_BASE/user/krb5.conf

and retry the kinit command above.

SSH Keys and Password-less login for any machine

Setup

  • Create a key and enter a password (It is dangerous to not use a passphrase for shell accounts. Your only protection is your passphrase. This is particularly important for laptops.).
        ssh-keygen -t rsa 
    Note that the default key file will be id_rsa and id_rsa.pub but you can create it with a different name (in case you need different keys for different remote hosts but try not to do that unless you have good reason !) by adding the option -f ~/.ssh/<filename>.

  • Copy the public key to your remote machine; replace <username> and <remote machine name> below.
    ssh-copy-id <username>@<remote machine name>

  • After copying the above public key to lxplus, login to lxplus and type /afs/cern.ch/project/svn/dist/bin/set_ssh. This will fix the acl permissions of the file on lxplus.

  • Create a file ~/.ssh/config with the following information (there is a template you can copy from $ATLAS_LOCAL_ROOT_BASE/user/sshConfig).
    • If your lxplus username is different from your local account, add a "User <your lxplus username>" to the lxplus, git and svn sections.
Host lxplus*.cern.ch lxplus 
Protocol 2 
GSSAPIAuthentication yes 
GSSAPIDelegateCredentials yes 
PubkeyAuthentication no 
PasswordAuthentication yes
GSSAPITrustDns yes 
ForwardX11 yes

Host svn.cern.ch svn 
GSSAPIAuthentication yes 
GSSAPIDelegateCredentials yes 
GSSAPITrustDns yes
Protocol 2 
ForwardX11 no

Host gitlab.cern.ch
GSSAPIAuthentication yes 
GSSAPIDelegateCredentials yes 
GSSAPITrustDns yes
Protocol 2 
ForwardX11 no

Host *
Protocol 2
IdentityFile ~/.ssh/id_rsa

Make sure the permissions of the ~/.ssh directory and its contents have permissions set correctly; an example is

  chmod 700 ~/.ssh
  chmod 600 ~/.ssh/id_rsa
  chmod 644 ~/.ssh/config ~/.ssh/id_rsa.pub

Setup for Mac OS 10.12 and newer

Note This will work only for Mac OS X. To login to lxplus, you will first need to do kinit @CERN.CH.


# This section is only for Mac OS.  It will fail elsewhere.
# For lxplus, you will need to first do kinit <lxplususername>@CERN.CH first

Host svn.cern.ch svn 
GSSAPIAuthentication yes 
GSSAPIDelegateCredentials yes 
Protocol 2 
ForwardX11 no

Host gitlab.cern.ch
GSSAPIAuthentication yes 
GSSAPIDelegateCredentials yes 
Protocol 2 
ForwardX11 no

Host lxplus*.cern.ch lxplus lxplus*
Protocol 2 
GSSAPIAuthentication yes 
GSSAPIDelegateCredentials yes 
PubkeyAuthentication no 
ForwardX11 yes

Host *
  Protocol 2
  AddKeysToAgent yes   
  IdentityFile ~/.ssh/id_rsa
  ServerAliveInterval 120

Usage

Kerberos Authentication

If you have kerberos working and want to use that, type kinit <your lxplus username >@CERN.CH. (If your lxplus username is the same as on your current machine, you only need to type kinit).

You should now be able to login to lxplus and also check out code from svn without a password.

Note: if you have public key identities known to your machine (e.g. if you type ssh -A to login), you may be asked for your public key password. Type ssh-add -D to remove these if you prefer Kerberos.

Public Key authentication

If Kerberos does not work, or if you forget to type kinit, then svn checkouts will ask for your public key password (but not the password of the remote account on lxplus or svn !) On the other hand, lxplus logins will ask you for your lxplus password (you cannot do ssh passwordless logins to lxplus without a kerberos ticket which also sets up your afs tokens.)

Some useful commands:

  • ssh-keygen -t rsa -p to change the passphrase of your ssh key. (or to add a passphase if you have a key without one now)
So far, the only advantage you have is security - not having to transmit the password of the remote account. Now lets take this one step further so that you can avoid having to type in the passphrase more than once.

Using ssh-agent

If you are using a Mac, Keychains will store your ssh key passphrase so you will not have to type it each time. This way, it is really painless to remote login to any machine which has your public key. However, take care not to leave your desktop unlocked when you are away.

You will not need to do anything else for Linux either if you are on a GUI desktop or if you had logged in from a machine with ssh -A .... to forward the authentication agent to the new machine's session. SSH agent forwarding is useful if your private key is on system A, and you need to log in to system C via system B because A does not have direct network access to C. This avoids the need to store your private key on system B. Also look at "ForwardAgent" in the ssh_config man page to see an alternative to the -A command line option.

Note for lxplus

On lxplus, afs acls decide permissions so after creating anything in ~/.ssh, run /afs/cern.ch/project/svn/dist/bin/set_ssh. Note that your public key file name must be id_rsa.*

-- AsokaDeSilva - 15 May 2008

Topic attachments
I Attachment History Action Size Date Who Comment
Unix shell scriptsh sshAgent.sh r2 r1 manage 1.2 K 2010-10-05 - 19:36 AsokaDeSilva  
Edit | Attach | Watch | Print version | History: r24 < r23 < r22 < r21 < r20 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r24 - 2019-07-30 - AsokaDeSilva
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback