sphenix-hcal-l AT lists.bnl.gov
Subject: sPHENIX HCal discussion
List archive
- From: Martin Purschke <purschke AT bnl.gov>
- To: "sphenix-emcal-l AT lists.bnl.gov" <sphenix-emcal-l AT lists.bnl.gov>, "sphenix-hcal-l AT lists.bnl.gov" <sphenix-hcal-l AT lists.bnl.gov>
- Subject: [Sphenix-hcal-l] at long last: ssh!
- Date: Sat, 9 Apr 2016 02:50:27 -0500
Dear all,
many of you are painfully aware of our struggles to establish ssh logins
to our gateway machine. ssh logins didn't work at all for the longest
time (what I had thought would be done 2hrs after we could move in took
until Friday to get to work at all).
We had established the poor man's login through hcalgw.phy.bnl.gov -
logging in to a machine that you can touch through BNL. Oh well. At
least it worked.
What remained were issues on MacOS. Around the various user groups are
ample warnings that Fermilab's authentication method of choice,
kerberos, has a lot of issues on MacOS, being an Apple-proprietary
implementation and all. Google lists, independent of FNAL, gazillions of
issues with MacOS-kerberos.
Anyway, here's the scoop. The Fermilab computing pages list, in addition
to a downloadable krb5.conf file, the supposedly golden few lines to add
to your /etc/ssh_login file, enabling the GSSAPI (kerberos) -
> # System-wide defaults set by MIT Kerberos Extras
> Host *.fnal.gov
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
> GSSAPIKeyExchange yes
> GSSAPITrustDNS no
However, that works *only* if you are using your Mac's native ssh, what
few of us do. If you are using ssh installed through Mac-Ports or
homebrew, the relevant config file is somewhere else ( use ssh -vv to
find out, mine is /opt/local/etc/ssh_config). And there is takes only
> Host *.fnal.gov
> GSSAPIAuthentication yes
> GSSAPIDelegateCredentials yes
An interim way to test this is to add -K to your ssh (enable
GSIAPIAuthentication).
So again, here is the procedure:
use klist to verify that you still have a non-expired kerberos tgt
(Ticket Granting Ticket). If not:
kinit <your FNAL username> -f
ssh -l ftbf_user ftbfbnl01.fnal.gov
Once that works, I suggest to put that into a script with some useful
tunnels
ssh -l ftbf_user ftbfbnl01.fnal.gov \
-L 10001:192.168.100.1:22 \
-L 10010:192.168.100.10:22 \
-L 17815:192.168.100.40:7815 \
-L 10040:192.168.100.40:22 \
-L 18081:192.168.100.80:8081 \
-L 18082:192.168.100.81:8081
(in order:
- the sphenixdaq machine's ssh port
- Tom's DAQ machine's ssh port
- the T1044 elog
- hcaldaq's ssh port
- the hcal-watching webcam
- the emcal-watching webcam
)
Also, I need to enable your logins. Please let me know your FNAL login
name and I'll do that asap.
Finally, at
https://www.phenix.bnl.gov/~purschke/ftbf/
I keep the latest computing@fnal-related docs.
Martin
--
Martin L. Purschke, Ph.D. ; purschke AT bnl.gov
; http://www.phenix.bnl.gov/~purschke
;
Brookhaven National Laboratory ; phone: +1-631-344-5244
Physics Department Bldg 510 C ; fax: +1-631-344-3253
Upton, NY 11973-5000 ; skype: mpurschke
-----------------------------------------------------------------------
-
[Sphenix-hcal-l] at long last: ssh!,
Martin Purschke, 04/09/2016
- Re: [Sphenix-hcal-l] [Sphenix-emcal-l] at long last: ssh!, John Haggerty, 04/09/2016
Archive powered by MHonArc 2.6.24.