From FarmShare

Applies to: All versions of stock OpenSSH. Question: How does one configure stock SSH to work with Kerberos? Answer: (Note: This is a high level procedure.) Make sure that the stock OpenSSH running on the machine does indeed have support for Kerberos by running the following command. Because OpenSSH supports Kerberos-5 only for SSH-1. This is not ideal, as SSH-1 is deprecated for its known security weaknesses, but SSH-2 has no standard support for Kerberos yet. However, there is a proposal to add it via GSSAPI (Generic Security Services Application Programming Interface, RFC 1964).

Windows Openssh Kerberos

Public Key Authentication

Public key authentication is not supported on FarmShare systems.

GSSAPI Authentication

Windows Openssh Kerberos

FarmShare systems do support password-less authentication using GSSAPI if you have a valid Kerberos ticket for the stanford.edu realm.

OpenSSH

On macOS and Linux systems you can enable GSSAPI by adding the following lines to ~/.ssh/config on your local system.

Recent versions of macOS no longer support the GSSAPIKeyExchange option; you can either omit this option or, if you prefer to keep a standard configuration, add the additional option IgnoreUnknown GSSAPIKeyExchange to your ~/.ssh/config file.

In some cases GSSAPI authentication may be enabled by default, but ssh will not forward your Kerberos ticket to the remote system. This can be inconvenient, especially in the legacy FarmShare environment, or when you expect to access AFS on rice. You can enable forwarding by adding GSSAPIDelegateCredentials yes to ~/.ssh/config, but you should do so only for trusted systems; to restrict the option, add it to a Host block:

See the man page for ssh_config for more information on GSSAPI options.

PuTTY

PuTTY supports GSSAPI authentication by default; to enable forwarding, select Connection → SSH → Auth → GSSAPI → Allow GSSAPI credential delegation.

SecureCRT

SecureCRT supports GSSAPI authentication, but it is disabled by default. To enable GSSAPI, open the Session Options dialog and select Connection → SSH2 → Authentication → GSSAPI and Connection → SSH2 → Authentication → Key exchange → Kerberos (Group Exchange). SecureCRT attempts authentication and key exchange methods in the order listed, so these methods should be moved to the top of their respective stacks. Delegation is enabled by default when GSSAPI authentication is selected.

Two-step Authentication

You can avoid some of the inconvenience of two-step authentication using ssh multiplexing. This feature creates a master session on initial connection to a particular host; subsequent sessions reuse the existing connection as a tunnel, so no further authentication is required. The master session can be configured to remain open even after you have closed the initial connection using the ControlPersist option. On macOS and Linux systems you can add the following lines to ~/.ssh/config file on your local system to enable multiplexing.

Note that while PuTTY and SecureCRT support multiplexing, they do not support ControlPersist, so the feature is of less utility for this purpose on Windows systems.

If you'd like to learn more, the OpenSSH Cookbook has a good introduction to multiplexing.

Keep-alive

A connection that is left open but idle might be closed after some time. Many SSH clients have a keep-alive feature that can be used to prevent idle disconnections.

OpenSSH

Add the following line to ~/.ssh/config on your local system.

PuTTY

Select Connection → Sending of null packets to keep session active → Seconds between keepalives (0 to turn off) 60 and Connection → Low-level TCP connection options → Enable TCP keepalives (SO_KEEPALIVE option).

SecureCRT

In the Session Options dialog, select Terminal → Anti-idle → Send protocol NO-OP every 60 seconds.

Sharing Host Keys

FarmShare consists of many individual nodes, grouped by function: login (or interactive use), compute, and GPU. Each group of systems shares an SSH host key, and you can configure OpenSSH to cache each of these keys once, and use it whenever you connect to a particular system in a given group, using the HostKeyAlias option. This can save some time when connecting for the first time to any particular system in a group if you've previously connected to another system in that same group.

Mosh

Cygwin Openssh Kerberos

Mosh is also supported for interactive terminal sessions. Mosh connections are more responsive under high-latency conditions, and can persist when your network changes or while your computer sleeps. The native Mosh client is available on macOS and Linux; on Windows you can use MobaXterm or the Mosh extension for Chrome.

Suggested OpenSSH Configuration

Gssapicleanupcredentials

The options described above are here collected into a configuration that should be safe and convenient for most users connecting from macOS and Linux systems.

Windows Ssh Kerberos