Configure ssh for Password-less Login to lxplus or Other Linux Boxen

If you have a valid kerberos ticket you can configure ssh to forward your credentials, allowing password-less connections to properly configured linux boxen. 

The necessary configuration can be applied in two places on your Mac:

  1. In /etc/ssh/ssh_config (not sshd_config!)(was /etc/ssh_config prior to OS 10.12). In that case it is applied to all accounts on the Mac. Editing this file requires sudo privileges, but we will see further down why we want to edit this in any case...
  2. In ~/.ssh/config. In that case it is applied to your account only.

You should only forward your credentials to hosts that are trustworthy. If you forward your credentials to a roque host you run the risk that somebody abuses your credentials. So it is important to have the settings in question iside a 'Host' block for trusted hosts only! Do not put these settings in a 'Host *' block! In the following snippet the settings apply to the hosts "lxplus", "svn", "mylinuxbox" and all hosts matching "pcmydepmygroup*".

#

Host lxplus.cern.ch aiadm.cern.ch mylinuxbox.cern.ch pcmydepmygroup*.cern.ch

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
#...

About GSSAPITrustDNS

Up to  OS 10.11.6 the built-in ssh and scp binaries supported the option 'GSSAPITrustDNS'. This option is not supported any longer. If you used it in the past you will have to remove it from your ssh configuration files.

About LANG LC_*

When connecting to lxplus or other linux boxen, we are often greeted with messages like 

perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_US.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").

We can avoid these by deleting or commenting out the line

   SendEnv LANG LC_*

from /etc/ssh/ssh_config. Unfortunately there is no way to achieve the same result by any parameter in ~/.ssh/config - andApple overwrites this file with almost every OS or security update :(

In case you have all required settings in ~/.ssh/config and do not need any of the settings from /etc/ssh/ssh_config you can use the ssh or scp option '-F ~/.ssh/config' to avoid reading /etc/ssh/ssh_config, and thus avoid being bother by Apple re-activating the 'SendEnv LANG LC_*' with every update to ssh.

You are here