Using SSH and Kerberos

Home Overview Projects Resources Staff Publications Links Awards Disclaimer Contacts Workshops SCL User Info: AFS Usage
Aliases
Computer Policy
Mail
Passwords
Printing
Software
SSH-Kerberos

New User Information: Moving Around Using SSH

The information provided here is intended solely for internal use by the users of the Scalable Computing Laboratory. If you have any questions or problems, please contact help@scl.ameslab.gov

Background:

We are always trying to make the SCL's main network infrastructure as secure as possible. Having less insecure connections to the outside world is one of the simplest ways to cut down on insecurity within our own network. In doing this, we use ssh to log into machines at the SCL using kerberos as the authentication method.

Kerberos is an authentication method originally developed at MIT. It uses a ticket system to authenticate users, and is readily usable in all sorts of applications. To log into machines at the SCL, you need to have these tickets and the server needs to be able to authenticate using these tickets. Fortunately, all the ticket handling is done by the recieving machine, so in most cases you only need to worry about how to use ssh. The Secure Shell Protocol is an open-source remote user system developed by the makers of BSD that allows you to securely log into machines remotely, and bring up terminals, graphical windows, and almost any other interfaces you can think of. By using both ssh and kerberos in conjunction with one another, we are able to create a secure system that is still easy to use.

Using SSH:

If you are on an workstation and want to get to another SCL/FI workstation simply ssh {machine name}

If you are coming from outside of the scl.ameslab.gov domain, you will need to ssh to gateway.scl.ameslab.gov:

somemachine.somewhere% ssh -l {username at SCL} gateway.scl.ameslab.gov

On a windows machine, you will need an SSH client like PuTTY. If you are using putty, you will need at least putty version 0.56, and you will need to choose the "keyboard-interactive" authentication method instead of "password"

Users with X-Windows can still use X-Windows over SSH. To do this, SSH to a UNIX box. You will probably need to set the DISPLAY environment variable to your PC's name. You will also need to make sure you've added the UNIX box to your 'xhosts' list. After that, you will be able to either start a window manager or multiple xterms from the SSH command line.

tpc51: {xutil window} - add aztec.fi.ameslab.gov in the Xhosts section
aztec: setenv DISPLAY tpc51:0.0
aztec: xterm &

Email Resources:

In the past we have used different, insecure method of handling mail. With the use of our new courier mail system and the password database in ldap, we are able to authenticate mail using kerberos as well. The password is the same password you use to log into the network.

To change your password, simply ssh into gateway and issue the kpasswd command:

ssh -l (Your username here) gateway.scl.ameslab.gov

kpasswd

Questions: If you have any questions or comments, please send them to help@scl.ameslab.gov

Home | Disclaimer | Contact us

Questions? Comments? Please send an email to , or contact us at 515-294-7336.