cernlib for SL 6x
What do folks do about installing the cern program libraries for SL6? I see that they only have pre-built binaries for SL5. Are you building them from source or is there an semi-official repo you can get them from? Thanks!
Re: cernlib for SL 6x
Hi Ken, On Nov 21, 2012, at 6:33 PM, Ken Teh t...@anl.gov wrote: What do folks do about installing the cern program libraries for SL6? I see that they only have pre-built binaries for SL5. Are you building them from source or is there an semi-official repo you can get them from? There is a little confusion around the version(s) of CERNLIB. There is one package called 'cernlib' in epel. That appears to be a version that misses a few of the original libraries, and if I understood it correctly includes a few bug fixes and improvements. It is available for both architectures. Then there is a build that covers more of the original libraries, but has no recent bug fixes or improvements,and is only available for i686. At CERN we have packaged that version as 'CERNLIB'. Hope this helps, Matthias Thanks! smime.p7s Description: S/MIME cryptographic signature
Re: SL5.8, anaconda, pre-exec scripts, and swap issue
When swap partitions are created with fdisk, there's a t option that is used to set the partition type. If swap partitions are created with mkpart in parted, the FS-TYPE can be included in the command. I'll bet if you change the scriplet to create the swap partitions with the Linux swap partition type, the boot software will then see the type and know to do the right thing. Steven Yellin On Wed, 21 Nov 2012, SCHAER Frederic wrote: Hi, We're deploying our nodes using pre-exec scriptlets, in which we do our own partitioning. In this scriptlets, we have things like that : 1- Create swap paritions 2- mkswap those partitions The issue is the following : until now, everything was working fine. With SL5.8, at reboot, our nodes only have 2GB of swap enabled per swap partition. If we do: - swapoff partition - mkswap partition - swapon partition Then the swap size appears to be what it should be (up to 128GB depending on the node, so 2GB clearly is a not a good thing for us). Off course, we could work around this using several methods, but that would be work arounds only. I tried installing a node using anaconda's partitioning and no pre-exec scripts : then the swap is correctly defined/used. Finally, I noted that on the failing systems (pre-exec partitioning), the partition type is 83 (linux), while on the anaconda-made swap, partition type is 8e (Linux swap / Solaris) Bug or not a bug ? Thanks
RE: SL5.8, anaconda, pre-exec scripts, and swap issue
Hi, Thanks. I'll try to change that yes, but as I said, it's been working fine for all other SL distributions, including SL6... Regards -Message d'origine- De : Steven J. Yellin [mailto:yel...@slac.stanford.edu] Envoyé : mercredi 21 novembre 2012 19:01 À : SCHAER Frederic Cc : SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV Objet : Re: SL5.8, anaconda, pre-exec scripts, and swap issue When swap partitions are created with fdisk, there's a t option that is used to set the partition type. If swap partitions are created with mkpart in parted, the FS-TYPE can be included in the command. I'll bet if you change the scriplet to create the swap partitions with the Linux swap partition type, the boot software will then see the type and know to do the right thing. Steven Yellin On Wed, 21 Nov 2012, SCHAER Frederic wrote: Hi, We're deploying our nodes using pre-exec scriptlets, in which we do our own partitioning. In this scriptlets, we have things like that : 1- Create swap paritions 2- mkswap those partitions The issue is the following : until now, everything was working fine. With SL5.8, at reboot, our nodes only have 2GB of swap enabled per swap partition. If we do: - swapoff partition - mkswap partition - swapon partition Then the swap size appears to be what it should be (up to 128GB depending on the node, so 2GB clearly is a not a good thing for us). Off course, we could work around this using several methods, but that would be work arounds only. I tried installing a node using anaconda's partitioning and no pre-exec scripts : then the swap is correctly defined/used. Finally, I noted that on the failing systems (pre-exec partitioning), the partition type is 83 (linux), while on the anaconda-made swap, partition type is 8e (Linux swap / Solaris) Bug or not a bug ? Thanks smime.p7s Description: S/MIME cryptographic signature
Re: xfce + dual monitor setup
.. not easy, but super easy for simple dual monitor setup. And i think it def helped to have one of the monitors to be connected with HDMI. here are a few links i found useful: https://forum.xfce.org/viewtopic.php?id=6738 http://www.thinkwiki.org/wiki/Xorg_RandR_1.2 en.gentoo-wiki.com/wiki/X.Org/Dual_Monitors i had dsub + DVI originally and i had to specify the resolution. Once i switched to HDMI+DVI all i have to do is to issue xrandr blah --auto and specify which monitor i want where. On Tue, Nov 13, 2012 at 2:34 PM, Andrew Z form...@gmail.com wrote: Hello, i want to setup a dual monitor under xfce (4.8) ( and compiz if it matters ). I did a quick search and it seems there are quite a few open bugs. Can you gentlemen, advise on the subject? Maybe point to a good howto? Thank you AZ
Re: xfce + dual monitor setup
well its really dependant on what video card and driver you are using. for example the proprietary nvidia driver has a gui that can adjust the display mode and resolution without restarting X fairly easily but there is no such option with the free nvidia driver. On Wed, Nov 21, 2012 at 1:32 PM, Andrew Z form...@gmail.com wrote: .. not easy, but super easy for simple dual monitor setup. And i think it def helped to have one of the monitors to be connected with HDMI. here are a few links i found useful: https://forum.xfce.org/viewtopic.php?id=6738 http://www.thinkwiki.org/wiki/Xorg_RandR_1.2 en.gentoo-wiki.com/wiki/X.Org/Dual_Monitors i had dsub + DVI originally and i had to specify the resolution. Once i switched to HDMI+DVI all i have to do is to issue xrandr blah --auto and specify which monitor i want where. On Tue, Nov 13, 2012 at 2:34 PM, Andrew Z form...@gmail.com wrote: Hello, i want to setup a dual monitor under xfce (4.8) ( and compiz if it matters ). I did a quick search and it seems there are quite a few open bugs. Can you gentlemen, advise on the subject? Maybe point to a good howto? Thank you AZ
dist macro
It appears that SL packages are being built with a different dist rpm macro than is in the sl-release package. e.g.: postgresql.x86_648.4.13-1.el6_3 sl-security But the dist macro in sl-release-6.3-1 is still el6, not el6_3. So when I build an updated package locally it has a NEVRA of postgresql-8.4.13-1.el6.cora.1 which is not newer than the SL version. What version of sl-release are the released packages built against? Or is there some other modification done? Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com
Re: [SCIENTIFIC-LINUX-USERS] dist macro
On 11/21/2012 12:44 PM, Orion Poplawski wrote: It appears that SL packages are being built with a different dist rpm macro than is in the sl-release package. e.g.: postgresql.x86_648.4.13-1.el6_3 sl-security But the dist macro in sl-release-6.3-1 is still el6, not el6_3. So when I build an updated package locally it has a NEVRA of postgresql-8.4.13-1.el6.cora.1 which is not newer than the SL version. What version of sl-release are the released packages built against? Or is there some other modification done? Thanks! The package was built to match the upstream name. http://rhn.redhat.com/errata/RHSA-2012-1263.html#Red%20Hat%20Enterprise%20Linux%20Server%20%28v.%206%29 Pat -- Pat Riehecky Scientific Linux Developer
Re: Security ERRATA Low: selinux-policy enhancement update on SL5.x, SL6.x i386/x86_64
This is the second selinux-policy update within a couple of days, and both were promoted from enhancement to security. That's a major pain in the rear. Why do these have to land on all systems? - Stephan On Nov 21, 2012, at 17:40 , Pat Riehecky wrote: Synopsis: Low: selinux-policy enhancement update Issue date: 2012-11-19 This update adds the following enhancements: * An SELinux policy for openshift packages has been added This update has been placed in the security tree to avoid selinux related problems. SL6.x SRPMS: selinux-policy-3.7.19-155.el6_3.8.src.rpm i386: selinux-policy-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-doc-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-minimum-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-mls-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-targeted-3.7.19-155.el6_3.8.noarch.rpm x86_64: selinux-policy-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-doc-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-minimum-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-mls-3.7.19-155.el6_3.8.noarch.rpm selinux-policy-targeted-3.7.19-155.el6_3.8.noarch.rpm -- Stephan Wiesand DESY -DV- Platanenenallee 6 15738 Zeuthen, Germany
Re: [SCIENTIFIC-LINUX-USERS] dist macro
On 11/21/2012 11:49 AM, Pat Riehecky wrote: On 11/21/2012 12:44 PM, Orion Poplawski wrote: It appears that SL packages are being built with a different dist rpm macro than is in the sl-release package. e.g.: postgresql.x86_648.4.13-1.el6_3 sl-security But the dist macro in sl-release-6.3-1 is still el6, not el6_3. So when I build an updated package locally it has a NEVRA of postgresql-8.4.13-1.el6.cora.1 which is not newer than the SL version. What version of sl-release are the released packages built against? Or is there some other modification done? Thanks! The package was built to match the upstream name. http://rhn.redhat.com/errata/RHSA-2012-1263.html#Red%20Hat%20Enterprise%20Linux%20Server%20%28v.%206%29 Pat Which is good :). Hmm, looks likes redhat-release-server-6Server-6.3.0.3.el6 still has dist set to el6, so that not how they do it :(. Unfortunately I'm building locally with mock and I don't know of a way to override the dist macro in that way. -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com
Re: xfce + dual monitor setup
right you are Paul. me the silly failed to understand the options and how they work on the Nvidia settings panel. So i got away with the small blood On Wed, Nov 21, 2012 at 1:40 PM, Paul Robert Marino prmari...@gmail.comwrote: well its really dependant on what video card and driver you are using. for example the proprietary nvidia driver has a gui that can adjust the display mode and resolution without restarting X fairly easily but there is no such option with the free nvidia driver. On Wed, Nov 21, 2012 at 1:32 PM, Andrew Z form...@gmail.com wrote: .. not easy, but super easy for simple dual monitor setup. And i think it def helped to have one of the monitors to be connected with HDMI. here are a few links i found useful: https://forum.xfce.org/viewtopic.php?id=6738 http://www.thinkwiki.org/wiki/Xorg_RandR_1.2 en.gentoo-wiki.com/wiki/X.Org/Dual_Monitors i had dsub + DVI originally and i had to specify the resolution. Once i switched to HDMI+DVI all i have to do is to issue xrandr blah --auto and specify which monitor i want where. On Tue, Nov 13, 2012 at 2:34 PM, Andrew Z form...@gmail.com wrote: Hello, i want to setup a dual monitor under xfce (4.8) ( and compiz if it matters ). I did a quick search and it seems there are quite a few open bugs. Can you gentlemen, advise on the subject? Maybe point to a good howto? Thank you AZ
Re: [SCIENTIFIC-LINUX-USERS] dist macro
On 11/21/2012 01:02 PM, Orion Poplawski wrote: On 11/21/2012 11:49 AM, Pat Riehecky wrote: On 11/21/2012 12:44 PM, Orion Poplawski wrote: It appears that SL packages are being built with a different dist rpm macro than is in the sl-release package. e.g.: postgresql.x86_648.4.13-1.el6_3 sl-security But the dist macro in sl-release-6.3-1 is still el6, not el6_3. So when I build an updated package locally it has a NEVRA of postgresql-8.4.13-1.el6.cora.1 which is not newer than the SL version. What version of sl-release are the released packages built against? Or is there some other modification done? Thanks! The package was built to match the upstream name. http://rhn.redhat.com/errata/RHSA-2012-1263.html#Red%20Hat%20Enterprise%20Linux%20Server%20%28v.%206%29 Pat Which is good :). Hmm, looks likes redhat-release-server-6Server-6.3.0.3.el6 still has dist set to el6, so that not how they do it :(. Unfortunately I'm building locally with mock and I don't know of a way to override the dist macro in that way. Untested theory: Perhaps adding this to your mock config file? config_opts['macros']['%dist'] = 'asdf' -- Pat Riehecky Scientific Linux Developer
Re: [SCIENTIFIC-LINUX-USERS] dist macro
On 11/21/2012 12:16 PM, Pat Riehecky wrote: On 11/21/2012 01:02 PM, Orion Poplawski wrote: On 11/21/2012 11:49 AM, Pat Riehecky wrote: On 11/21/2012 12:44 PM, Orion Poplawski wrote: It appears that SL packages are being built with a different dist rpm macro than is in the sl-release package. e.g.: postgresql.x86_648.4.13-1.el6_3 sl-security But the dist macro in sl-release-6.3-1 is still el6, not el6_3. So when I build an updated package locally it has a NEVRA of postgresql-8.4.13-1.el6.cora.1 which is not newer than the SL version. What version of sl-release are the released packages built against? Or is there some other modification done? Thanks! The package was built to match the upstream name. http://rhn.redhat.com/errata/RHSA-2012-1263.html#Red%20Hat%20Enterprise%20Linux%20Server%20%28v.%206%29 Pat Which is good :). Hmm, looks likes redhat-release-server-6Server-6.3.0.3.el6 still has dist set to el6, so that not how they do it :(. Unfortunately I'm building locally with mock and I don't know of a way to override the dist macro in that way. Untested theory: Perhaps adding this to your mock config file? config_opts['macros']['%dist'] = 'asdf' Yup, that or: mock -r epel-6-x86_64 -D 'dist .el6_3' Thanks! -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 http://www.nwra.com
ssh returns Permission denied (gssapi-keyex,gssapi-with-mic).
I can't figure out what causes this error. I can fix it by regenerating the server key on the system I'm trying to connect to and restarting sshd but that seems to be temporary as the same problem comes back in a week or so. Rebooting the server does not fix it. Does anyone know what that error means? I am using ssh not gsissh although I do have globus toolkit installed to contact grid computers. I'm pretty sure it's a misconfiguration on my part but I can't figure out what I did or didn't do. Thanks, Joe
Re: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic).
What does the output of ssh -vv hostname give you? and what does /var/log/secure say on the server side? Permission denied could be a number of things (time not in sync, PAM configuration right, or other stuff. without knowing the server and client sshd_config and ssh_config respectively it is hard to tell. Steve Timm On Wed, 21 Nov 2012, Joseph Areeda wrote: I can't figure out what causes this error. I can fix it by regenerating the server key on the system I'm trying to connect to and restarting sshd but that seems to be temporary as the same problem comes back in a week or so. Rebooting the server does not fix it. Does anyone know what that error means? I am using ssh not gsissh although I do have globus toolkit installed to contact grid computers. I'm pretty sure it's a misconfiguration on my part but I can't figure out what I did or didn't do. Thanks, Joe -- Steven C. Timm, Ph.D (630) 840-8525 t...@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division, Scientific Computing Facilities, Grid Facilities Department, FermiGrid Services Group, Group Leader. Lead of FermiCloud project.
Re: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic).
Hi Joe, Did you look at the sshd_config file? I ran into a similar error output but it may not necessarily be the same issue you're having. In my case, the sshd_conf file on one of my users machine was edited and renamed. I backup that file and copy a default sshd_config file, then test it. Good luck. -T On Wed, Nov 21, 2012 at 5:16 PM, Joseph Areeda newsre...@areeda.com wrote: I can't figure out what causes this error. I can fix it by regenerating the server key on the system I'm trying to connect to and restarting sshd but that seems to be temporary as the same problem comes back in a week or so. Rebooting the server does not fix it. Does anyone know what that error means? I am using ssh not gsissh although I do have globus toolkit installed to contact grid computers. I'm pretty sure it's a misconfiguration on my part but I can't figure out what I did or didn't do. Thanks, Joe
Re: WG: Black Display Screen Problem Getting Paraview to work
Thanks Chris and Andrew for the suggestions/directions. I now notice fglrx-x11-drv-12.4-1.el6.elrepo.i686.rpm driver does not seem to detect the card. Will consider a proprietary driver I googled (e.g., amd-driver-installer-12-2-x86.x86_64.run) later, when I'm more stable to look at the issue. (Unfortunately, I am not in a position to investigate the display behaviour.) At the same time, I'm inclined to thinking we have a linux software driver problem, as I noticed the machine (fan) was quieter under its Windows 7 partition. Also, the boot time seems faster, after I did the file system repairs under chroot *and* uninstalled the fglrx* driver. Once again, thanks for the assistance. William. From: Chris Schanzle schan...@nist.gov To: William Shu ws...@yahoo.com Sent: Wednesday, November 21, 2012 1:27 AM Subject: Re: WG: Black Display Screen Problem Getting Paraview to work Just an (offline) thought-booting off the cd means you were not using the ati kernel drivers, so I would look into that issue really hard when booting off the kernel on the disk. On 11/20/2012 10:41 AM, William Shu wrote: Peter, Andrew, Thanks for the suggestions. Peter, the machine is an HP ProBook 4720s Laptop that I use as a sort of mobile desktop, and I do not have access to its internals. Besides being the only machine I can work on now, I cannot tinker with its hardware! I've been using for about a year now with no problem. Could it be that something has worn out power supply from the PCI bus? (I often charge my phone via the usb slot.). If so, can one add (or redirect) power externally? Andrew, I tried another monitor--a CRT--at the time but it did not display anything. Since I could not repeat the event, I could only surmise the screen and/or the keyboard (to switch on multi-display) or the USB Hard drive might have been compromised. (a fsck proved the USB HD drive clean!) How does one test the fan of the GPU? Sorry for dumb question. I noticed lately that the fan of the machine goes on for much longer than in times past. Looking back, could briefly using the machine in dusty work environment sometime back have such an adverse effect? (Machine is supposed to be a laptop!) Another issue I don't understand is why the same paraview program, run via chroot under the livedvd (6.0), found the same display okay, but does not find it okay when the system is booted directly! Regards, William. -- *From:* peter.stauff...@boehringer-ingelheim.com peter.stauff...@boehringer-ingelheim.com *To:* ws...@yahoo.com *Sent:* Tuesday, November 20, 2012 2:46 PM *Subject:* WG: Black Display Screen Problem Getting Paraview to work Hi William, some high-end graphics cards (our Nvidia Quadro cards) need additional power, so a special power cable must be connected to the graphics card. With normal low resolution the graphics cards work fine without this cable, but with higher resolution the power from PCI bus ist no longer sufficient and we got a blank screen. Peter Dr. Peter Stauffert Boehringer Ingelheim Pharma GmbH Co. KG *Von:*owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] *Im Auftrag von *Andrew Z *Gesendet:* Dienstag, 20. November 2012 14:36 *An:* William Shu *Cc:* SCIENTIFIC- LINUX- USERS@ FNAL. GOV *Betreff:* Re: Black Display Screen Problem Getting Paraview to work William Check if fan on your gpu actually works. Try another monitor. I had similar odd behavior a while ago. On Nov 20, 2012 4:45 AM, William Shu ws...@yahoo.com mailto:ws...@yahoo.com wrote: Dear All, I state the basic problem, then give further explanations below. Any help appreciated, especially as I'm just groping! My basic problems are: --- (1) to ascertain the cause of the black screen
Re: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic).
Thank you Tam, and Steven, I just confirmed that regenerating the keys (ssh-keygen -t dsa -f ssh_host_dsa_key ssh -t rsa -f ssh_host_rsa_key) in /etc/ssh fixes the problem So ssh -vv shows me how it's supposed to look. I'll save that and do a diff when it happens again. As I continue my googling I can report on a few things it's not Server machine has a fixed ip address and dns/rdns appears working. Time issue Steven mentioned does not seem to be it, although I may stop using pool machines and set up a local ntp server so everybody gets the same time. I can ssh and gsissh to other servers. Server: ntpq -p remote refid st t when poll reach delay offset jitter == *ping-audit-207- .ACTS. 1 u5 128 377 19.867 5.804 1.927 +10504.x.rootbsd 198.30.92.2 2 u 129 128 376 45.146 -28.571 5.558 +ntp.sunflower.c 132.236.56.250 3 u 77 128 355 63.836 -14.753 5.360 -ntp2.ResComp.Be 128.32.206.553 u 126 128 377 22.112 7.311 2.022 Client: ntpq -p remote refid st t when poll reach delay offset jitter == 64.147.116.229 .ACTS. 1 u 47 1280 13.543 0.567 0.000 *nist1-chi.ustim .ACTS. 1 u 25 128 377 106.619 14.458 5.896 +name3.glorb.com 69.36.224.15 2 u 64 128 377 88.564 -27.542 3.631 +131.211.8.244 .PPS.1 u 81 128 377 167.107 3.259 2.340 The only setting I change in sshd_config is to turn off password auth but this machine is being brought up behind a firewall and I haven't done that yet. Also if it was a config problem I doubt changing the key would fix it, even temporarily. I will report back with the ssh -vv stuff when it happens again. At least now I have a chance of figuring out what's going on. Best, Joe On 11/21/2012 02:30 PM, Tam Nguyen wrote: Hi Joe, Did you look at the sshd_config file? I ran into a similar error output but it may not necessarily be the same issue you're having. In my case, the sshd_conf file on one of my users machine was edited and renamed. I backup that file and copy a default sshd_config file, then test it. Good luck. -T On Wed, Nov 21, 2012 at 5:16 PM, Joseph Areeda newsre...@areeda.com mailto:newsre...@areeda.com wrote: I can't figure out what causes this error. I can fix it by regenerating the server key on the system I'm trying to connect to and restarting sshd but that seems to be temporary as the same problem comes back in a week or so. Rebooting the server does not fix it. Does anyone know what that error means? I am using ssh not gsissh although I do have globus toolkit installed to contact grid computers. I'm pretty sure it's a misconfiguration on my part but I can't figure out what I did or didn't do. Thanks, Joe
RE: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic).
Shouldn't need to regenerate the keys.. once you get them generated once they should be good for the life of the machine. Save copies of the keys as they are now and if your system goes bad, do differences to see what changed, if anything. Steve Timm From: owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Joseph Areeda Sent: Wednesday, November 21, 2012 5:46 PM To: owner-scientific-linux-us...@listserv.fnal.gov Cc: scientific-linux-users Subject: Re: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic). Thank you Tam, and Steven, I just confirmed that regenerating the keys (ssh-keygen -t dsa -f ssh_host_dsa_key ssh -t rsa -f ssh_host_rsa_key) in /etc/ssh fixes the problem So ssh -vv shows me how it's supposed to look. I'll save that and do a diff when it happens again. As I continue my googling I can report on a few things it's not Server machine has a fixed ip address and dns/rdns appears working. Time issue Steven mentioned does not seem to be it, although I may stop using pool machines and set up a local ntp server so everybody gets the same time. I can ssh and gsissh to other servers. Server: ntpq -p remote refid st t when poll reach delay offset jitter == *ping-audit-207- .ACTS. 1 u5 128 377 19.8675.804 1.927 +10504.x.rootbsd 198.30.92.2 2 u 129 128 376 45.146 -28.571 5.558 +ntp.sunflower.c 132.236.56.250 3 u 77 128 355 63.836 -14.753 5.360 -ntp2.ResComp.Be 128.32.206.553 u 126 128 377 22.1127.311 2.022 Client: ntpq -p remote refid st t when poll reach delay offset jitter == 64.147.116.229 .ACTS. 1 u 47 1280 13.5430.567 0.000 *nist1-chi.ustim .ACTS. 1 u 25 128 377 106.619 14.458 5.896 +name3.glorb.com 69.36.224.15 2 u 64 128 377 88.564 -27.542 3.631 +131.211.8.244 .PPS.1 u 81 128 377 167.1073.259 2.340 The only setting I change in sshd_config is to turn off password auth but this machine is being brought up behind a firewall and I haven't done that yet. Also if it was a config problem I doubt changing the key would fix it, even temporarily. I will report back with the ssh -vv stuff when it happens again. At least now I have a chance of figuring out what's going on. Best, Joe On 11/21/2012 02:30 PM, Tam Nguyen wrote: Hi Joe, Did you look at the sshd_config file? I ran into a similar error output but it may not necessarily be the same issue you're having. In my case, the sshd_conf file on one of my users machine was edited and renamed. I backup that file and copy a default sshd_config file, then test it. Good luck. -T On Wed, Nov 21, 2012 at 5:16 PM, Joseph Areeda newsre...@areeda.commailto:newsre...@areeda.com wrote: I can't figure out what causes this error. I can fix it by regenerating the server key on the system I'm trying to connect to and restarting sshd but that seems to be temporary as the same problem comes back in a week or so. Rebooting the server does not fix it. Does anyone know what that error means? I am using ssh not gsissh although I do have globus toolkit installed to contact grid computers. I'm pretty sure it's a misconfiguration on my part but I can't figure out what I did or didn't do. Thanks, Joe
RE: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic).
On Nov 21, 2012 7:57 PM, Paul Robert Marino prmari...@gmail.com wrote: Ok To be clear are you using kerberos or not If the answer is no and you are just using ssh keys the most common cause of this issue is that the useres home directory is group or world readable. In the most secure mode which is the default if the useres home and or the ~/.ssh directory is has a any thing other than 700 or 500 set as the permissions it will reject the public key (the one on the server you are trying to connect to) this become obvious with -vvv but not -vv On Nov 21, 2012 7:34 PM, Steven C Timm t...@fnal.gov wrote: Shouldn’t need to regenerate the keys.. once you get them generated once they should be good for the life of the machine. Save copies of the keys as they are now and if your system goes bad, do differences to see what changed, if anything. ** ** Steve Timm ** ** ** ** *From:* owner-scientific-linux-us...@listserv.fnal.gov [mailto: owner-scientific-linux-us...@listserv.fnal.gov] *On Behalf Of *Joseph Areeda *Sent:* Wednesday, November 21, 2012 5:46 PM *To:* owner-scientific-linux-us...@listserv.fnal.gov *Cc:* scientific-linux-users *Subject:* Re: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic). ** ** Thank you Tam, and Steven, I just confirmed that regenerating the keys (ssh-keygen -t dsa -f ssh_host_dsa_key ssh -t rsa -f ssh_host_rsa_key) in /etc/ssh fixes the problem So ssh -vv shows me how it's supposed to look. I'll save that and do a diff when it happens again. As I continue my googling I can report on a few things it's not Server machine has a fixed ip address and dns/rdns appears working. Time issue Steven mentioned does not seem to be it, although I may stop using pool machines and set up a local ntp server so everybody gets the same time. I can ssh and gsissh to other servers. Server: ntpq -p remote refid st t when poll reach delay offset jitter == *ping-audit-207- .ACTS. 1 u5 128 377 19.8675.804 1.927 +10504.x.rootbsd 198.30.92.2 2 u 129 128 376 45.146 -28.571 5.558 +ntp.sunflower.c 132.236.56.250 3 u 77 128 355 63.836 -14.753 5.360 -ntp2.ResComp.Be 128.32.206.553 u 126 128 377 22.1127.311 2.022 Client: ntpq -p remote refid st t when poll reach delay offset jitter == 64.147.116.229 .ACTS. 1 u 47 1280 13.5430.567 0.000 *nist1-chi.ustim .ACTS. 1 u 25 128 377 106.619 14.458 5.896 +name3.glorb.com 69.36.224.15 2 u 64 128 377 88.564 -27.542 3.631 +131.211.8.244 .PPS.1 u 81 128 377 167.1073.259 2.340 The only setting I change in sshd_config is to turn off password auth but this machine is being brought up behind a firewall and I haven't done that yet. Also if it was a config problem I doubt changing the key would fix it, even temporarily. I will report back with the ssh -vv stuff when it happens again. At least now I have a chance of figuring out what's going on. Best, Joe On 11/21/2012 02:30 PM, Tam Nguyen wrote: Hi Joe, Did you look at the sshd_config file? I ran into a similar error output but it may not necessarily be the same issue you're having. In my case, the sshd_conf file on one of my users machine was edited and renamed. I backup that file and copy a default sshd_config file, then test it. ** ** Good luck. -T On Wed, Nov 21, 2012 at 5:16 PM, Joseph Areeda newsre...@areeda.com wrote: I can't figure out what causes this error. I can fix it by regenerating the server key on the system I'm trying to connect to and restarting sshd but that seems to be temporary as the same problem comes back in a week or so. Rebooting the server does not fix it. Does anyone know what that error means? I am using ssh not gsissh although I do have globus toolkit installed to contact grid computers. I'm pretty sure it's a misconfiguration on my part but I can't figure out what I did or didn't do. Thanks, Joe ** **
Re: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic).
Thank you Paul, Steven and Steve, I think Kerberos may be the issue. I do NOT use Kerberos to access this machine, I have a lot to learn before I turn that and LDAP on. But I do use it to access several services in our collaboration so the client machine often has a valid Kerberos TGT (and probably more often an expired ticket). I think it's worth experimenting with the client in different states of Kerberosity (or whatever that word should be). The user's directory is 755 which is the convention for grid computers in our collaboration and the plan is for this machine to be on our soon to be delivered cluster. The .ssh directory is 700. This doesn't change between the working and non-working state. I tarred the /etc/ssh directory and saved it for next time but wouldn't generating new keys make them almost completely different? Generating new keys makes no sense to me either, but it does work. Well, at least it has been the only thing I've done coincident with resolving the problem the last 3 times this has happened. I also save the triple verbose ssh output. I really appreciate the discussion gentlemen, it helps a lot. Best, Joe On 11/21/2012 04:58 PM, Paul Robert Marino wrote: On Nov 21, 2012 7:57 PM, Paul Robert Marino prmari...@gmail.com mailto:prmari...@gmail.com wrote: Ok To be clear are you using kerberos or not If the answer is no and you are just using ssh keys the most common cause of this issue is that the useres home directory is group or world readable. In the most secure mode which is the default if the useres home and or the ~/.ssh directory is has a any thing other than 700 or 500 set as the permissions it will reject the public key (the one on the server you are trying to connect to) this become obvious with -vvv but not -vv On Nov 21, 2012 7:34 PM, Steven C Timm t...@fnal.gov mailto:t...@fnal.gov wrote: Shouldn’t need to regenerate the keys.. once you get them generated once they should be good for the life of the machine. Save copies of the keys as they are now and if your system goes bad, do differences to see what changed, if anything. Steve Timm *From:*owner-scientific-linux-us...@listserv.fnal.gov mailto:owner-scientific-linux-us...@listserv.fnal.gov [mailto:owner-scientific-linux-us...@listserv.fnal.gov mailto:owner-scientific-linux-us...@listserv.fnal.gov] *On Behalf Of *Joseph Areeda *Sent:* Wednesday, November 21, 2012 5:46 PM *To:* owner-scientific-linux-us...@listserv.fnal.gov mailto:owner-scientific-linux-us...@listserv.fnal.gov *Cc:* scientific-linux-users *Subject:* Re: ssh returns Permission denied (gssapi-keyex,gssapi-with-mic). Thank you Tam, and Steven, I just confirmed that regenerating the keys (ssh-keygen -t dsa -f ssh_host_dsa_key ssh -t rsa -f ssh_host_rsa_key) in /etc/ssh fixes the problem So ssh -vv shows me how it's supposed to look. I'll save that and do a diff when it happens again. As I continue my googling I can report on a few things it's not Server machine has a fixed ip address and dns/rdns appears working. Time issue Steven mentioned does not seem to be it, although I may stop using pool machines and set up a local ntp server so everybody gets the same time. I can ssh and gsissh to other servers. Server: ntpq -p remote refid st t when poll reach delay offset jitter == *ping-audit-207- .ACTS. 1 u5 128 377 19.8675.804 1.927 +10504.x.rootbsd 198.30.92.2 2 u 129 128 376 45.146 -28.571 5.558 +ntp.sunflower.c 132.236.56.250 3 u 77 128 355 63.836 -14.753 5.360 -ntp2.ResComp.Be http://ntp2.ResComp.Be 128.32.206.553 tel:128.32.206.55%C2%A0%C2%A0%C2%A0%203 u 126 128 377 22.1127.311 2.022 Client: ntpq -p remote refid st t when poll reach delay offset jitter == 64.147.116.229 .ACTS. 1 u 47 1280 13.5430.567 0.000 *nist1-chi.ustim .ACTS. 1 u 25 128 377 106.619 14.458 5.896 +name3.glorb.com http://name3.glorb.com 69.36.224.15 2 u 64 128 377 88.564 -27.542 3.631 +131.211.8.244 .PPS.1 u 81 128 377 167.1073.259 2.340 The only setting I change in sshd_config is to turn off password auth but this machine is being brought up behind a firewall and I haven't done
