Navigation :

Setting up SSH on Ubuntu

On CSAIL Ubuntu, sshd is enabled by default, but without the “keytab” file necessary for Kerberos-based passwordless login, so some of these steps are necessary there as well. There are five steps you need to take to turn on SSH and enable passwordless remote login using your Kerberos tickets:

First, ensure that your machine has a stable hostname (that hostname.csail.mit.edu does not contain “dynamic”.) If it does, register a hostname first in WebDNS (CSAIL Login required), then dhreg (CSAIL Login required).
Ask the sysadmins to generate a keytab for your host (e-mail help@csail.mit.edu with the name of your machine)
Install the keytab. From the machine:

sudo install -o root -g root -m 600 /afs/csail/group/tig/keytabs/$USER/$HOSTNAME.keytab \
    /etc/krb5.keytab

(If you are using tcsh, substitute the name of your machine for $HOSTNAME.)

Remove the keytab from afs:

rm /afs/csail.mit.edu/group/tig/keytabs/$USER/$HOSTNAME.keytab

(Re)start sshd:

sudo rm /etc/ssh/sshd_not_to_be_run
sudo /etc/init.d/ssh restart

/etc/ssh/sshd_not_to_be_run won’t be there on CSAIL Linux machines, nor on servers, so don’t worry if you get an error from that command. But if it is there you’ll need to remove it.

Up Coming Change:

To test your readiness for upcoming ssh changes you will need to create a ~/.ssh/config file as described below.

When the MFA requirement is live this config will no longer be necessary as it will be included in the system defualt configs.

HashKnownHosts yes
VerifyHostKeyDNS ask
CanonicalizeHostname always
CanonicalDomains csail.mit.edu
  
# all  CSAIL hosts use GSSAPI
Host *.csail.mit.edu 128.52.* 128.30.*
  GSSAPIAuthentication yes
  GSSAPIKeyExchange yes
  # For non-CSAIL Ubuntu add
  # User <CSAIL UserName>

# jumps reuse existing connections
# note "ControlPath" must exist and cannot be in AFS
# /afs/csail.mit.edu/system/common/etc/profile.csail  (and friends) does this on 
# CSAILLinux systems
Host mfa-jump.csail.mit.edu jump.csail.mit.edu
  ForwardAgent yes
  GSSAPIDelegateCredentials yes
  ControlMaster auto
  ControlPersist 1800
  ControlPath /run/user/%i/cm_socket/%C
  # For non-CSAIL Ubuntu replace ControlPath with
  # ControlPath ~/.ssh/cm_socket/%C
  # This directory must be manually created!

# CSAIL hosts except jumphosts get GSSAPIDelegateCredentials for AFS
Host *.csail.mit.edu  !mfa-jump.csail.mit.edu  !jump.csail.mit.edu 128.52.* 128.30.* 128.31.*
  ProxyJump mfa-jump.csail.mit.edu
  GSSAPIDelegateCredentials yes

# if you ssh to ATHENA systems
# uncomment the lines below
# and edit to include your ATHENA Username
#Host !*.csail.mit.edu *.mit.edu
#  User <ATHENA_USERNAME>
#  GSSAPIAuthentication yes
#  GSSAPIDelegateCredentials yes
#  GSSAPIKeyExchange yes