SCIENTIFIC-LINUX-USERS Archives

August 2009

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: kerberized ssh and aklog on SL5
From:
Jon Peatfield <[log in to unmask]>
Reply To:
Jon Peatfield <[log in to unmask]>
Date:
Thu, 27 Aug 2009 00:48:27 +0100
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (35 lines) 
On Wed, 26 Aug 2009, Troy Dawson wrote:

> Hi Eve,
> The problem is that a plain SL5 ssh client does not do 
> GSSAPIDelegateCredentials and this is what is needed for you to get your AFS 
> credentials on minos06.
>
> https://fermilinux.fnal.gov/documentation/security/ssh-client/
<snip>

I hope no-one minds if I ask a stupid question...

What is to stop a user from adding the relevant section to their own 
.ssh/config ?  I know that isn't useful for catching all users but it is a 
useful test...

According to my understanding of the ssh client the *first* (matching) 
value found for each parameter is the one used and it is defined to read 
the user config before the system one (and command-line options before 
that)...

BTW the web page mentions a clash with GSSAPIDelegateCredentials on 
Ubuntu, which probably means that they are setting the value earlier than 
the suggested host... fragment (so will be found first).

From man ssh_config (on sl5 in case it matters):

...
   Since the first obtained value for each parameter is used, more
   host-specific declarations should be given near the beginning of the
   file, and general defaults at the end.
...

  -- Jon

ATOM RSS1 RSS2