• In progress

    • Connecting to the eRI compute cluster from Windows

    Owned by Thomas Berger
    Last updated: 02-05-2024 by Matt Bixley
    3 min read

    This article lists a few example client application configurations to enable users to connect via SSH and utilising Kerberos authentication

    PuTTY

    With Kerberos authentication via Windows OS

    • Log into a Windows machine using your AgResearch AD credentials

    • Open Putty and navigate to Connection → SSH → Auth → GSSAPI and configure GSSAPI as indicated below

    • Navigate to Connection → Data and select ' Use system username'

    • Navigate to Session and specify the server you are connecting to. Save the session

     

    • Click Open and enjoy the SSO

    MobaXterm

    With Kerberos authentication via Windows OS

    • Ensure you are using the latest version of MobaXterm

    • Open MobaXterm and navigate to Settings → Configuration (global settings, not session settings!)

    • Select SSH tab and configure the settings as indicated below. Ensure you enter the Domain you are going to use, which for AgResearch staff is agresearch.co.nz, and set your default login as username@agresearch.co.nz

     

     

    • Click OK

    • Create a new connection and configure it as indicated below. Ensure the ‘Specify username’ is set to default (which will be filled in from global settings). This indicates that the system username (the username you used to log into the workstation) is going to be used. For AgResearch staff the hostname is login-0.eri.agresearch.co.nz.

     

    • Click OK and connect. If all is well, this should give a shell prompt on login-0 with no need to type a username or password.

    Windows Subsystem for Linux (WSL)

    Windows subsystem for Linux is a feature that allows you to utilise some linux commands and command line tools.

    WSL is enabled by default on later versions of Windows 10.

    You can test whether WSL is installed by opening 'Windows PowerShell' and typing wsl.

    Kerberos configuration

    The following is required in /etc/krb5.conf inside your WSL distro for ssh to work with Kerberos:

    [libdefaults] default_realm = AGRESEARCH.CO.NZ dns_lookup_realm = true dns_lookup_kdc = true forwardable = true [realms] IAM.FLEXI.NESI.ORG.NZ = { dns_canonicalize_hostname = false rdns = false } [domain_realm] agresearch.co.nz = AGRESEARCH.CO.NZ .agresearch.co.nz = AGRESEARCH.CO.NZ .eri.agresearch.co.nz = IAM.FLEXI.NESI.ORG.NZ eri.agresearch.co.nz = IAM.FLEXI.NESI.ORG.NZ [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 krb4_convert = false }

    ssh configuration

    The following in ~/.ssh/config means less has to be specified on the command line:

    Host login-0 login-0.eri.agresearch.co.nz HostName login-0.eri.agresearch.co.nz User <USERID>@agresearch.co.nz # eg blogsj@agresearch.co.nz GSSAPIAuthentication yes

    Get a Kerberos ticket

    In case klist shows no tickets:

    kinit

    Connect to the destination utilising the Kerberos ticket:

    Requires the above ssh configuration for this brief command to work:

    ssh login-0