Project

General

Profile

Setting up your account for ssh access to private network connections » History » Version 9

Version 8 (Iker de Icaza Astiz, 02/03/2020 02:19 PM) → Version 9/10 (Michelle Stancari, 02/26/2021 04:37 PM)

h1. Setting up your account for ssh access to private network connections

First, test if you can login to the subnets:

From either of the daq servers do:
<pre>ssh username@sbnd-daq33-priv.fnal.gov</pre> and <pre>ssh username@sbn-daq01-priv.fnal.gov</pre>

If you can access without getting prompted for a password you're ok. If you get asked for a password proceed to the instructions below. If it denies access then most likely there's some other issue.

-------------------------------------------------------------

The private addresses starting with 192.168 are not registered in the KDC node database, and so regular kerberos tickets will not work when ssh'ing to one of the private ports. To enable your account for private ssh access, first type the following:

<pre>
kinit username@FNAL.GOV
ssh-keygen
</pre>

You will be prompted for a password, remember it. This will create two files, private and public keys in your ~/.ssh directory:

<pre>
id_rsa
id_rsa.pub
</pre>

Rename the private key and copy the public key:

<pre>
cd ~/.ssh
mv id_rsa sbn_rsa
cp id_rsa.pub authorized_keys
</pre>

Then add the following to your *~/.ssh/config* file:

<pre>
Host *-priv
StrictHostKeyChecking no
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
AddKeysToAgent yes
IdentityFile ~/.ssh/sbn_rsa
PasswordAuthentication no
ForwardAgent yes
Protocol 2
AddressFamily inet
ServerAliveInterval 60
ForwardX11 yes
</pre>

Double check that the permissions on the files in the .ssh directory are rw------
You can change them with the command chmod 600 (filename)

The first time you use this method you will be prompted for the keytab password from above. Try it out, e.g.:

<pre>
ssh sbn-daq01-priv
ssh sbnd-daq33-priv
</pre>