Thanks to all who helped out with my ssh problem the other day. A few different approaches worked: I'm writing them up here for easy reference.
To recap, the problem was as follows: I want to ssh from my home machine (delight) to my work machine (sentinel) without typing any passwords (and, while I'm at it, to various other work machines, such as the Subversion host). Unfortunately, sentinel isn't visible on the public Internet; first I need to ssh into a gateway machine (rydell) from which sentinel is visible. Oh, and neither sentinel nor rydell allow public-key ssh login; both require you to use the Kerberos authentication protocol, which is explained here.
Two things are going on here. The ProxyCommand lines (suggested by hatfinch, and debugged by
simont) tell ssh how to reach sentinel: in this case, by sshing to rydell and using netcat to open a connection to port 22 on sentinel (on which sentinel's sshd is listening). The
My original problem is solved - hurrah! Now, can anyone explain why resize events weren't being passed through my expect script, and what I could have done about it? :-)
To recap, the problem was as follows: I want to ssh from my home machine (delight) to my work machine (sentinel) without typing any passwords (and, while I'm at it, to various other work machines, such as the Subversion host). Unfortunately, sentinel isn't visible on the public Internet; first I need to ssh into a gateway machine (rydell) from which sentinel is visible. Oh, and neither sentinel nor rydell allow public-key ssh login; both require you to use the Kerberos authentication protocol, which is explained here.
Brute force and ignorance
My first attempt was to usessh rydell ssh sentinel
(which sshes into rydell, and invokes the command ssh sentinel
thereon). This failed with the error "Pseudo-terminal will not be allocated because stdin is not a terminal". Marco Fontani pointed out that the -t switch to ssh allocates a pseudo-terminal, so ssh -t rydell ssh sentinel
Does What I Want.X11 Forwarding
Mat Brown pointed out that I was overthinking it: by using the -X and -C options to ssh (or adding the linesForwardX11 yes
and Compression yes
to the relevant stanza of ~/.ssh/config
) I could enable compressed forwarding of X11 connections; I could then create new terminal windows by sshing into sentinel once and creating new xterms on there. I already had ForwardX11 set, but didn't know about Compression, so I've enabled that; it seems to help.Using ProxyCommand and AutoSSH
I added the linesControlMaster auto ControlPath /tmp/ssh_mux_%h_%p_%r ServerAliveInterval 60 ServerAliveCountMax 60 Host rydell User pvlak1 HostName rydell.my.employ.er Host sentinel User pvlak1 ProxyCommand=ssh rydell nohup nc sentinel 22 HostName sentinel.my.employ.er Host svn.my.employ.er User pvlak1 ProxyCommand=ssh rydell nohup nc svn 22to
~/.ssh/config
. Then, at the beginning of the day, I set things up with the commands kinit pvlak1 autossh -f -M 0 -N sentinel autossh -f -M 0 -N svn.my.employ.erI can now open a new ssh connection to sentinel in an eyeblink. I needed to install AutoSSH, but this was just an apt-get away.
Two things are going on here. The ProxyCommand lines (suggested by hatfinch, and debugged by
![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
HostName
line is necessary to stop Kerberos getting confused. The first four lines were suggested by Marco Fontani and Aaron Crane, and allow ssh to multiplex all its connections to sentinel (or any host, come to that) over one channel, eliminating the need for a cryptographic handshake on each new connection and leading to blazingly-fast startup times. To avoid various annoying problems with this setup, you'll need the AutoSSH invocations: Aaron explains why on his blog.My original problem is solved - hurrah! Now, can anyone explain why resize events weren't being passed through my expect script, and what I could have done about it? :-)
Tags: