|
Well, here lies the problem. We create kerberos credentials before we
ssh to any machine.
Then we tunnel these credentials through ssh over to the machine we wish
to log in to.
Normal ssh connections (non-lvs) with kerberos work to all my machines.
In other
words, ssh plus kerberos authenticates (sets permissions, grants xauth,
and afs write access)
prior to login. It is only our ssh connections through lvs which
exhibits (i.e. fails to pass
authentication) and causes the errors below. So the question becomes, why
does normal ssh pass authentication while ssh-lvs does not?
Configuration files
for normal ssh vs. ssh-lvs are basically the same except for entries
concerning the
listen address. Any ideas on how to work around this? We thought using
"kinit -n", which means get kerberos authentication and create
addressless tickets
(to essentially ignore any ip mismatches throughout the ticket granting
process) would
work, but, alas, no. I am now wondering if I need to create an sshd for
the RIP and
put on all the realservers???
[root@minos01 ssh]# grep Listen *
sshd_config:ListenAddress 131.225.110.58 = RIP
sshd_config.lvs:ListenAddress 131.225.110.112 = VIP
ls -l /etc/ssh/
-rw------- 1 root root 88039 Sep 23 2003 moduli
-rw-r--r-- 1 root root 1141 Sep 23 2003 ssh_config
-rw-r--r-- 1 root root 1151 Jan 12 09:31 ssh_config.lvs
-rw------- 1 root root 668 Oct 19 11:53 ssh_host_dsa_key
-rw------- 1 root root 672 Jan 12 09:55 ssh_host_dsa_key.lvs
-rw-r--r-- 1 root root 611 Jan 12 09:55
ssh_host_dsa_key.lvs.pub
-rw------- 1 root root 515 Oct 19 11:53 ssh_host_key
-rw------- 1 root root 536 Jan 12 09:55 ssh_host_key.lvs
-rw-r--r-- 1 root root 340 Jan 12 09:55 ssh_host_key.lvs.pub
-rw------- 1 root root 887 Oct 19 11:53 ssh_host_rsa_key
-rw------- 1 root root 887 Jan 12 09:55 ssh_host_rsa_key.lvs
-rw-r--r-- 1 root root 231 Jan 12 09:55
ssh_host_rsa_key.lvs.pub
-rw-r--r-- 1 root root 2594 Jan 25 15:49 sshd_config
-rw-r--r-- 1 root root 2507 Jan 12 10:16 sshd_config.lvs
Horms wrote:
Any of you out there running LVS with kerberos, openafs and openssh on your
LTS303 linux machines?
Thanks for any help,
Ok, there seem to be a few problems there.
1. xauth isn't working. You should probably just turn off xforwarding in
your sshd config rather than make xauth work.
2. You user doesn't have permission to access
/afs/fnal.gov/files/home/room3/shepelak/.Info
On Fri, Feb 04, 2005 at 05:37:01PM -0600, Karen Shepelak wrote:
I have met with success at getting ssh connections to work to LVS
by running a separate sshd for the VIP on each realserver. I don't know
if this is a normal part of the setup for the realservers or not, as I
did not see
any instruction about having to do this anywhere, but it certainly got
things
working. Also note that arp patches, arptable settings, nor noarp module,
made any difference in getting ssh to work.
Yes, ssh does need to listen to the VIP.
Likely what is happening is that when ssh starts up,
it looks for what IP addresses are bound to the
local interfaces and listens on those addresses.
So if you subsequently bring up the VIP, it won't be listening
on that address. Either that or you have ssh set to listen
to specific addresses and the VIP isn't one of them.
In any case, yes, you need ssh to listen on the VIP for
it to accept connections on the VIP
Though I am finally able to ssh to LVS, I am now encountering a
new battle.
To complete our LVS configuration, we need to have LVS working with
kerberos and opensafs (also installed on our machines). So now, though I am
finally able to ssh to LVS, I am seeing that we are not able to create
afs tokens.
We have narrowed down this new problem to our version of ssh:
OpenSSH_3.5p1f1.
Error we get is:
[karen@neptune karen]$ ssh -l shepelak minos-lvs01
Last login: Fri Feb 4 16:34:23 2005 from linux-test.fnal.gov
aklog: Couldn't get fnal.gov AFS tickets:
aklog: unknown RPC error (-1765328346) while getting AFS tickets
/usr/X11R6/bin/xauth: timeout in locking authority file
/afs/fnal.gov/files/home/room3/shepelak/.Xauthority
Terminal type is xterm
There are no available articles.
/bin/touch: creating `/afs/fnal.gov/files/home/room3/shepelak/.Info':
Permission denied
<minos09>
Any of you out there running LVS with kerberos, openafs and openssh on your
LTS303 linux machines?
Thanks for any help,
Ok, there seem to be a few problems there.
1. xauth isn't working. You should probably just turn off xforwarding in
your sshd config rather than make xauth work.
2. You user doesn't have permission to access
/afs/fnal.gov/files/home/room3/shepelak/.Info
--
Karen Shepelak
SCS-GROUP (Scientific Computing Support)
FERMILAB (Work: 630-840-2715 -- Pager:630-266-2383 -- FAX:630-840-6345)
|
