Secure Shell (SSH2) for Unix/Linux Users

Modern Linux/unix installations (e.g., RHEL4, OS X Tiger) already have all the software needed to use Protocol 2 effectively. This section details the recommended procedures for setting up ssh2 on your machine in order to access machines at SLAC. (Note: As of Nov. 26, 2007, ssh access via ssh Protocol 1 (ssh1) was disabled at SLAC.)

Setup: Non-Slac Machine

  1. In order to login from a remote Linux machine to a SLAC machine, create the following file and name it config in the remote machine's $HOME/.ssh directory (i.e., $HOME/.ssh/config):

    2. GSSAPIAuthentication=yes
    GSSAPIDelegateCredentials=yes
    GSSAPITrustDNS=yes     (may not be necessary or even supported on some systems)
    ForwardX11=yes
  2. Set the permissions for read/write by the owner only; first:
    • cd to your .ssh directory; then, at the prompt, issue the following command
    • chmod og-rxw config
  1. If you are working:
    • From a SLAC machine and you wish to ssh, or scp, or whatever, at the start of your work day type:

      kinit

    • From non-SLAC machines, type:

      kinit yourusername@SLAC.STANFORD.EDU

    Note: SLAC.STANFORD.EDU must be in UPPERCASE. (All upper and lower case examples used in this procedure are correct as shown.)
  1. When prompted, enter your password.

Notes:

  • Passwords. After entering your password once, you can ssh to a SLAC machine and you will immediately be logged in and have an afs token. You can also scp files to or from SLAC, or use cvs and you will not be prompted for a password.
  • Running X Applications Remotely. If you wish to log onto a SLAC machine and run X applications remotely, you might need to modify your ssh command to include a -Y flag like this:

ssh -Y noric.slac.stanford.edu

(All upper and lower case examples used in this procedure are correct as shown.)

  • When connecting to a SLAC machine from a non-SLAC machine:

On SLAC machines, host keys are managed automatically so, when you first connect from a client machine to a SLAC server machine that ssh on your client machine does not know about, you will be asked whether you want to accept the public key of the SLAC machine. This key will be stored in a file in your home directory named ~/.ssh/known_hosts. Every connection after that will check the public key of the server, and will issue WARNINGS if the key stored on your machine does not match. This protects you from hacker attacks in which another machine impersonates the trusted server machine to which you are trying to connect. The dialog looks like as follows:

> ssh noric.slac.stanford.edu Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'noric.slac.stanford.edu' added to the list of known hosts.
  • If you get the wrong key from the remote host, you get this dialog:
> ssh noric.slac.stanford.edu  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  @        WARNING: HOST IDENTIFICATION HAS CHANGED!        @
  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!  
Someone could be eavesdropping on you right now (man-in-the-middle attack)!  
It is also possible that the host key has just been changed....

Tip: You will often get this warning if you connect to pooled machines such as noric, tersk, or noric. This is because you will get different machines each time you connect, and each machine will have a different host key.

To solve this problem, you can get the host keys of all the machines in the pool from SLAC by issuing the following command from your client machine. These keys are available via anonymous ftp from the server ftp.slac.stanford.edu, in the directory /admin/:

ftp://ftp.slac.stanford.edu/admin/known_hosts

Copy this file to your client machine and merge it into your ~/.ssh/known_hosts file. (Be sure to replace any existing keys for the corresponding SLAC hosts.)

You will need to be repeat this process periodically when, for example, SCS adds new machines to any of the pools.

Miscellaneous Checks

  • SSH version on client machine (must be v3.8, or higher), issue the command: 
  ssh -V
Note: For best results from SLAC public machines, verify that you're using /usr/local/bin/ssh by, e.g., issuing: 
  which ssh
If you find that you are not using /usr/local/bin/ssh, you may want to adjust your PATH environment variable.
  • kerberos kinit command.

To verify that the kerberos kinit command is available, issuing the command:

  kinit --version
OR  
  which kinit
 
to make sure it's there.

End of SSH for Unix procedure.

Also see Secure Shell (SSH) at SLAC, Using SSH:

  • Between UNIX machines at SLAC and
  • Between a SLAC machine and a non-SLAC machine.
Owned by:Joanne Bogart
Last updated by: Joanne Bogart 09/15/2009