Both sides previous revision
Previous revision
Next revision
|
Previous revision
Next revision
Both sides next revision
|
cluster:157 [2017/03/29 13:47] hmeij07 |
cluster:157 [2017/03/29 13:52] hmeij07 |
** SSH public key authentication** | ** SSH public key authentication** |
| |
[need a way to collect key files, push them out, and manage passwd/shadow/group UID/GID so they do clash] | [need a way to collect key files, push them out, and manage passwd/shadow/group unique UID/GID so they do clash, like weshmeij, lafjsimms] |
| |
In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: | In the ''/etc/ssh/sshd_config'' file, specify the path to user SSH public key files using a description like: |
drwxr-xr-x. 3 root root 4096 Nov 9 14:02 /etc/ssh | drwxr-xr-x. 3 root root 4096 Nov 9 14:02 /etc/ssh |
drwxr-xr-x 2 root root 4096 Nov 9 14:01 /etc/ssh/authorized_keys | drwxr-xr-x 2 root root 4096 Nov 9 14:01 /etc/ssh/authorized_keys |
| -rwxr-xr-x 2 root root 1024 Mar 29 11:01 /etc/ssh/authorized_keys/weshmeij |
| |
</code> | </code> |
<code> | <code> |
| |
1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh". The last package is needed on a log-in node, it's not required on compute nodes. | 1. install pam by run commands "yum install pam", "yum install pam_krb5", and "yum install pam_ssh". |
| The last package is needed on a log-in node, it's not required on compute nodes. |
| |
2. Modify /etc/krb5.conf as below | 2. Modify /etc/krb5.conf as below |
| |
(Note for historical reasons we use both upper case and lower case for our kerberos domains. Both resolkve to the same thing. You may not need this - try it and see.) | (Note for historical reasons we use both upper case and lower case for our kerberos domains. |
| Both resolve to the same thing. You may not need this - try it and see.) |
| |
| |
Banner /etc/banner | Banner /etc/banner |
| |
8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows, making any changes needed to fit this into your setup. | 8. Modify /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac as follows, |
| making any changes needed to fit this into your setup. |
| |
| |
service sshd reload | service sshd reload |
service ntpd restart | service ntpd restart |
ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu) (optional, if the difference of the system time to the ntp server time is too long, this command can synchronize the system time to the ntp server) | ntpdate your-univ-ntp-server (e.g., ntp.myuniversiry.edu) |
| |
10. If all the above steps are done but it still doesn't work, try running some or all of the following | (optional, if the difference of the system time to the ntp server time is too long, |
| this command can synchronize the system time to the ntp server) |
| |
| 10. If all the above steps are done but it still doesn't work, try running some |
| or all of the following |
| |
authconfig --test //If the output shows "pam_krb5 is disabled", run "authconfig --enablekrb5 --update" to enable it. If the output shows "pam_krb5 is enabled" and "krb5 kdc via dns is disabled", modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true", and run "service sshd restart" to load the settings then check again. | |
| authconfig --test //If the output shows "pam_krb5 is disabled", |
| run "authconfig --enablekrb5 --update" to enable it. If the output shows |
| "pam_krb5 is enabled" and "krb5 kdc via dns is disabled", |
| modify /etc/krb5.conf to make sure it has "dns_lookup_realm = true", |
| and run "service sshd restart" to load the settings then check again. |
| |
</code> | </code> |