-- Stanford Linear Accelerator Center

SSH and Kinit Tricks

UNIX at SLAC
Security
Updated: 09 Aug 2007
--

Contents


Rsync
CVS
X11 Forwarding
HTTP proxy

This page is to document some of the benefits of switching to the new ssh server that uses GSSAPI authentication. In particular it makes some tasks from remote machines much simpler and easier.

  • If you have a kerberos 5 enabled version of ssh and kinit, you can do password-less login to SLAC from anywhere and still have an AFS token.
  • SSH can pass other connections, such as X11, over the encrypted channel, making secure X connections possible.

Here are some ways to use those two features to your advantage.

Rsync

If you have a SLAC kerberos ticket on your remote machine you can easily rsync file/directories to or from AFS. Generally rsync is setup to ssh by default on OS/X and linux, but if not you can easily configure this by setting the environment variable

In bash RSYNC_RSH=ssh ; export RSYNC_RSH or in csh,tcsh setenv RSYNC_RSH ssh

Here's an example. Note that you only need to kinit once per day. Your kerberos ticket remains valid for 24 hrs.

kinit slac_id@SLAC.STANFORD.EDU
To AFS
rsync -avz my/src/code/ slac_id@machine.slac.stanford.edu:my/src/code
From AFS
rsync -avz slac_id@machine.slac.stanford.edu:my/src/code/ my/src/code

See the rsync man page for more uses.

CVS

You can also easily use CVS remotely with this verison of ssh. It's controlled by a very similar enviromental variable, CVS_RSH.

In bash
CVS_RSH=ssh ; export CVS_RSH
or in csh, tcsh
setenv CVS_RSH ssh

Here's an example. Note that you only need to kinit once per day. Your kerberos ticket remains valid for 24 hrs.

kinit slac_id@SLAC.STANFORD.EDU
cvs -d :ext:slac_id@machine.slac.stanford.edu/afs/path/to/cvsroot checkout project

The nice thing about this is that you only need to specify the remote syntax on checkout. If you have a kerberos ticket, using cvs remotely works just like using cvs on a SLAC machine.

See the CVS manual for more uses.

X11 Forwarding

This isn't a new feature really, but it's worthing noting some of the tricks.

In Mac OS X, the open source OpenSSH client is included with the basic OS install, it also includes the kinit command used above. The one caveat is that if you wish to use X11 forwarding, you must ssh from within an xterm, rather than the standard Terminal.app window.

HTTP Proxy

SSH can forward other TCP services over the encrypted connection. Examples of such services would be FTP, POP, IMAP, and X-Windows. This keeps the passwords that these services forward over the network from being visible to hackers who may be watching the network traffic. These services have no encryption of their own built in, and need the protection of an external protocol. This forwarding is often referred to as tunneling, because the TCP traffic is sent through an encrypted tunnel that shields it from view.

One of the most useful tricks is to use a proxy.pac file to setup your remote web browser to use ssh to tunnel to web pages that are only visible on SLAC's internal network.

Here's a sample proxy.pac file that does that through an ssh SOCKS tunnel.


function FindProxyForURL(url, host)
{
   /* variable strings to return */
   proxy_yes = "SOCKS 127.0.0.1:8080";
   proxy_no = "DIRECT";

   if (shExpMatch(url, "https://webscs02.slac.stanford.edu*"))
      return proxy_yes; 
   if (shExpMatch(url, "http://nagios*.slac.stanford.edu*"))
      return proxy_yes; 
   if (shExpMatch(url, "*slaconly*"))
      return proxy_yes; 
   return proxy_no;
}
Both FireFox and Safari support this, you will need to configure your browser to use this file. You will also need to have an active ssh connection to a SLAC machine like this ssh -D 8080 userid@machine.slac.stanford.edu
Owner: Booker C. Bense