openssh and kerberos

At home I use Ubuntu for my various machines and I’ve now hit this problem a couple of times so it is probably worth detailing it here in case it affects anyone else. Before logging in to an Informatics machine with ssh I prefer to kinit to get my INF.ED.AC.UK principal into the ticket cache. Amongst other things this means I don’t need to keep typing in my password whenever I use ssh. This all works nicely but if you do not have an ssh client configuration file (.ssh/config) you can login but then will have no kerberos tickets or AFS tokens on the Informatics machine. This results in a very weird experience where you think the server is bust but everyone else can use it just fine. The solution is to add something like this:

Host *.inf.ed.ac.uk
  User squinney
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

Obviously you will need to change your username appropriately.

One Response to openssh and kerberos

  1. toby says:

    Hi Stephen, we’ve got instructions along these lines on the support faq: http://www.inf.ed.ac.uk/systems/support/FAQ/index.html#KB5

    I might add a note about restricting it to certain hosts though.

    Does ubuntu have GSSAPIKeyExchange and GSSAPIRenewalForcesRekey options?

    Toby