Access to servers via SSH¶
Fermilab servers are most often interactively accessed via Secure Shell (SSH), with Kerberos authentication.To access the server, you need to know:
- your Kerberos credentials: it is the
<username>given you by Fermilab computing, and the password you chose for it
- the name of the server (for example,
There are two steps required to access a server, for example:
kinit -R <username>@FNAL.GOV # authenticate via Kerberos, receive a "ticket" ssh <username>@sbndgpvm01.fnal.gov # log in
Note that the first line asks your Kerberos client to attempt and renew an existing ticket, saving you from the hassle of retyping the password. If that fails, you need to run without
-Roption. A one-liner to do all of that (in bash shell) is:
kinit -R <username>@FNAL.GOV || kinit <username>@FNAL.GOV.
Access as a different user¶
You may need to log in a server acting in a different role. For example, you may want to write something in
/grid/fermiapp on behalf of SBND; that can be done1 only on
sbndgpvm01.fnal.gov, and only by the
There is no person holding the
sbnd user name, but there are some real users who are allowed to impersonate it. If you are among them, this is the magic:
kinit -R <username>@FNAL.GOV # just as above ssh email@example.com # log in as "sbnd" user
The people allowed to do so are the ones whose Kerberos principal, that is a string like
<username>@FNAL.GOV, is listed in
.k5loginfile in the home directory of the virtual user (in the example above, in
People in that list can add more simply by editing that file, but Fermilab demands the list to be kept short for maintenance and security purposes (see DocDB 5644).
1 This is at the time of writing, 20180129.