Skip to Content.
Sympa Menu

sphenix-hcal-l - Re: [Sphenix-hcal-l] [Sphenix-emcal-l] at long last: ssh!

sphenix-hcal-l AT lists.bnl.gov

Subject: sPHENIX HCal discussion

List archive

Chronological Thread  
  • From: John Haggerty <haggerty AT bnl.gov>
  • To: sphenix-emcal-l AT lists.bnl.gov
  • Cc: "sphenix-hcal-l AT lists.bnl.gov" <sphenix-hcal-l AT lists.bnl.gov>
  • Subject: Re: [Sphenix-hcal-l] [Sphenix-emcal-l] at long last: ssh!
  • Date: Sat, 9 Apr 2016 10:11:49 -0500

Martin,

Thanks! I was feeling so listless and disconnected before.

I still needed to do some wrestling on my Mac (El Capitan). Here are some things that got me in:

I had to kinit like this:

kinit myusername AT FNAL.GOV

where the capitals made a difference; with just myusername, I seemed to authenticate to DHCP.FNAL.GOV and that never got me a ticket.

Second, with both the Apple ssh and the latest OpenSSH from homebrew, I got

[~]$ ssh -l ftbf_user ftbfbnl01.fnal.gov
ssh_dispatch_run_fatal: Connection to 131.225.176.28: unexpected internal
error

but with

ssh -o GSSAPIKeyExchange=no -l ftbf_user ftbfbnl01.fnal.gov

I'm in and copying files and changing the bias and what all right from home! (No, I'm not really doing those things, but I could.)

I have had problems with Kerberos in the past trying to get a weak cipher version working that would work with AFS at RACF, so some of this may be due to that, but El Capitan seems to really dislike the Heimdal implementation of Kerberos.

On 4/9/16 2:50 AM, Martin Purschke wrote:

Dear all,

many of you are painfully aware of our struggles to establish ssh logins
to our gateway machine. ssh logins didn't work at all for the longest
time (what I had thought would be done 2hrs after we could move in took
until Friday to get to work at all).

We had established the poor man's login through hcalgw.phy.bnl.gov -
logging in to a machine that you can touch through BNL. Oh well. At
least it worked.

What remained were issues on MacOS. Around the various user groups are
ample warnings that Fermilab's authentication method of choice,
kerberos, has a lot of issues on MacOS, being an Apple-proprietary
implementation and all. Google lists, independent of FNAL, gazillions of
issues with MacOS-kerberos.

Anyway, here's the scoop. The Fermilab computing pages list, in addition
to a downloadable krb5.conf file, the supposedly golden few lines to add
to your /etc/ssh_login file, enabling the GSSAPI (kerberos) -

# System-wide defaults set by MIT Kerberos Extras
Host *.fnal.gov
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS no

However, that works *only* if you are using your Mac's native ssh, what
few of us do. If you are using ssh installed through Mac-Ports or
homebrew, the relevant config file is somewhere else ( use ssh -vv to
find out, mine is /opt/local/etc/ssh_config). And there is takes only

Host *.fnal.gov
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

An interim way to test this is to add -K to your ssh (enable
GSIAPIAuthentication).

So again, here is the procedure:

use klist to verify that you still have a non-expired kerberos tgt
(Ticket Granting Ticket). If not:

kinit <your FNAL username> -f

ssh -l ftbf_user ftbfbnl01.fnal.gov

Once that works, I suggest to put that into a script with some useful
tunnels

ssh -l ftbf_user ftbfbnl01.fnal.gov \
-L 10001:192.168.100.1:22 \
-L 10010:192.168.100.10:22 \
-L 17815:192.168.100.40:7815 \
-L 10040:192.168.100.40:22 \
-L 18081:192.168.100.80:8081 \
-L 18082:192.168.100.81:8081

(in order:
- the sphenixdaq machine's ssh port
- Tom's DAQ machine's ssh port
- the T1044 elog
- hcaldaq's ssh port
- the hcal-watching webcam
- the emcal-watching webcam
)

Also, I need to enable your logins. Please let me know your FNAL login
name and I'll do that asap.

Finally, at
https://www.phenix.bnl.gov/~purschke/ftbf/
I keep the latest computing@fnal-related docs.

Martin







--
John Haggerty
email: haggerty AT bnl.gov
cell: 631 741 3358




Archive powered by MHonArc 2.6.24.

Top of Page