Configure ssh for Password-less Login to lxplus or Other Linux Boxen

If you have a valid kerberos ticket you can configure ssh to forward your credentials, allowing password-less connections to properly configured linux boxen. 

The necessary configuration can be applied in two places on your Mac:

  1. In /etc/ssh/ssh_config (not sshd_config!)(was /etc/ssh_config prior to OS 10.12). In that case it is applied to all accounts on the Mac. Editing this file requires sudo privileges, but we will see further down why we want to edit this in any case...
  2. In ~/.ssh/config. In that case it is applied to your account only.

You should only forward your credentials to hosts that are trustworthy. If you forward your credentials to a roque host you run the risk that somebody abuses your credentials. So it is important to have the settings in question iside a 'Host' block for trusted hosts only! Do not put these settings in a 'Host *' block! In the following snippet the settings apply to the hosts "lxplus", "svn", "mylinuxbox" and all hosts matching "pcmydepmygroup*".

#

Host lxplus.cern.ch aiadm.cern.ch mylinuxbox.cern.ch pcmydepmygroup*.cern.ch

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#...

 

Up to  OS 10.11.6 the built-in ssh and scp binaries supported the option 'GSSAPITrustDNS'. This option is not supported any longer. If you used it in the past you will have to remove it from your ssh configuration files.

 

When connecting to lxplus or other linux boxen, we are often greeted with messages like 

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

We can avoid these by deleting or commenting out the line

   SendEnv LANG LC_*

from /etc/ssh/ssh_config. Unfortunately there is no way to achieve the same result by any parameter in ~/.ssh/config.

You are here