SSH / OpenSSH for Fermi Linux 7.3.1
Fermi Linux 7.3.1 is the first Fermi distribution that is able to use OpenSSH.
This is mainly due to the efforts of Kevin Hill who managed to get
OpenSSH to use Fermi's kerberos, as well as kept us up to date with the OpenSSH
security patches. Using OpenSSH has made us more compatable with the
outside world. This is because we were still using ssh1 protocols,
and because of security concerns, most of the rest of the world is not allowing
ssh1 clients to connect to their ssh2+ deamons. (In layman terms, people
arn't letting our machines running ssh-1.2.27g, to log into their machines
running OpenSSH)
But moving Fermilab's machines to OpenSSH has created a new problem.
The openssh server cannot get kerberos tickets in such a way that it can
forward them, or use them to get AFS tokens, when a 1.2.27g client connects.
This isn't a minor glitch, this is a major design flaw of 1.2.x ssh. It's the
same reason we had to have you change your /bin/login to our kerberized
/bin/login if you wanted to do cryptocard login.
This has created two major hurdles
A) The user cannot just go to another machine via a kerberized means, they must do a kinit first.
B) They will not automatically get AFS tokens if the machine has AFS installed.
This is especially problematic if the user's home area is in AFS.
But the good news is that the old ssh-1.2.27g server works fine on Fermi
Linux 7.3.1. It will allow both OpenSSH and older ssh-1.2.27g clients
to connect to it, and does what is expected with the kerberos tickets for
both. Despite that, we are reluctant to just install the ssh-1.2.27g
server on everyone's machine by default. This is because we are trying
to phase out our release of ssh-1.2.27, and move the lab to OpenSSH. We
understand this will take some time, but this is a big first step.
For the most part, the workgroup maintainers will decide if your workgroup
gets the ssh-server, or the openssh-server. But many of you may wish
to pick them on your own, or you might be a workgroup maintainer wondering
how you should decide.
Who Should Use The OpenSSH-Server and Who Should Use The SSH-Server
ssh-server
- If your machine will be accessed from all sorts of different machines AND
- Users home area's are in AFS space
- Users will be jumping from your machine to others (ie telnet, rsh, ssh)
- Example: FNALU machines
openssh-server
- If your machine will be accessed from all sorts of different machines BUT
- users home area's arn't in AFS space
- users arn't expected to jump from your machine to others
- Example: Farm workers
- If there is only very limited access to your machine
What to have installed when using the ssh-server
- ssh-server
- (optional) krb5-login-fermi
- openssh
- openssh-clients
- (optional)openssh-askpass
- (optional)openssh-askpass-gnome
How to change from an openssh-server to a ssh-server
Please note that this is for Fermi Linux 7.3.1 machines, where yum is installed
by default. If for some reason you do not have yum, use the equivilant
rpm commands, and get the ssh-server from ftp://linux.fnal.gov/linux/contrib/ssh/, and the krb5-login-fermi from ftp://linux.fnal.gov/linux/contrib/kerberos/73x/
- cp /etc/ssh/ssh_host_key* /etc
- yum remove openssh-server
- yum install ssh-server
- (optional) yum install krb5-login-fermi
If you have any comments or questions please write to
Troy Dawson
September 10, 2002