Kerberos credential forwarding appears to be working to both mire and deleuze (at least for me.)
To set it up, you need a Kerberized SSH client (ssh-krb5 in sarge) and some Kerberos utilities (either MIT or Heimdal should work, I'd recomend MIT.) Since your _admin user account doesn't match your Kerberos credential, you'll need to edit your ~/.k5login file and put your admin entry in there. (You can add multiple entires, one per line.) [EMAIL PROTECTED]:~]% cat .k5login cclausen/[EMAIL PROTECTED] Using Kerberos to login allows you to get AFS tokens autmatically at login as well as allowing you to only have to type in your password once to get to both machines. You can also forward credentials between machines, so things like scp will just work, no password prompts. And since things are verified with Kerberos, you don't need to keep track of SSH host keys anymore (although you might still want to.) Since root logins appear to be enabled on mire (I'd suggest setting this to PermitRoot without-password) I added my principal to root's ~/.k5login file and I can now SSH in directly as root on mire: [EMAIL PROTECTED]:~]% klist Ticket cache: FILE:/tmp/krb5cc_9999 Default principal: cclausen/[EMAIL PROTECTED] Valid starting Expires Service principal 01/28/07 22:35:46 01/29/07 08:35:46 krbtgt/[EMAIL PROTECTED] [EMAIL PROTECTED]:~]% ssh -K [EMAIL PROTECTED] Last login: Sun Jan 28 21:27:37 2007 from 69.90.123.67 mire:~# whoami root mire:~# exit logout Connection to mire closed. Ask on IRC if you'd like help setting this up. <<CDC _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
