Skip to main content
To KTH's start page

SSH login from Linux

Follow the guide to SSH login from Linux.

To log in to the student shell server, edit your ssh settings in ~/.ssh/config to add

Host student-shell
  HostName student-shell.sys.kth.se
  User username
  PreferredAuthentications gssapi-with-mic
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes
  GSSAPIKeyExchange yes

Then log in with

kinit -f username@KTH.SE
ssh student-shell

Note: All examples use username and student-shell – replace this with your KTH username (without @kth.se), and the Shell servers .

Note: If your local Kerberos configuration (e.g. /etc/krb5.conf) uses rdns=false, you should replace the alias student-shell.sys.kth.se with the server's FQDN, student-shell-1.sys.kth.se.

Software

All software is already available in KTH's client platforms. Using a standalone system, you may need to install Kerberos and OpenSSH.

For Ubuntu- or Debian-based distributions, we recommend Heimdal Kerberos (heimdal-clients), but MIT Kerberos (krb5-user) should also work.

For RedHat-based distributions, MIT Kerberos is recommended. For other distributions, see PDC's recommendations .

If prompted for a default Kerberos realm, select "KTH.SE".

## Ubuntu/Debian
[sudo] apt-get install heimdal-clients
[sudo] apt-get install openssh-client

## RHEL/CentOS/Fedora
[sudo] yum install krb5-workstation
[sudo] yum install openssh-clients

FAQ / Known problems

To debug problems, note the difference between running e.g. klist on your local client, and running it on the server you log in to. The first checks that kinit has received tickets; the second that the ssh client successfully forwarded the tickets to the server.

Non-standard ssh client or Kerberos

Application sandboxes are isolated environments in the home directory with applications and libraries that replace or complement the standard environment. See personal software installation . Normally this works fine, but replacing the ssh client or Kerberos toolchain (from Heimdal Kerberos to MIT Kerberos, or vice versa) may cause problems.

To check which client or Kerberos you are using, use the which command, i.e. which ssh; which kinit; which klist.

  • /home/username/.local/bin – standard directory for pip applications installed using the --user scheme.
  • /home/username/«conda version»/bin – directory for Conda, installed from Anaconda, Miniconda, Miniforge, etc. Typically your shell prompt will show (base) username@hostname:path$ or similar, to indicate that the "base" environment is active. You can use conda info --envs to check, or conda deactivate to exit the environment.
  • Python venv / virtualenv – will rarely replace system binaries, but may interfere. Use echo $VIRTUAL_ENV to check if you are in an environment, and deactivate to exit.

To call the system standard version, rather than the sandbox's, use the full path /usr/bin/«command».