Using public-key authentication on the Athena dialup servers is somewhat different from using it on other OpenSSH servers, and is intended only for advanced users. In particular:
- When logging in via this method, you will not automatically get Kerberos tickets, and will thus be unable to authenticate to other services (e.g. Zephyr) without running kinit or renew
- When logging in via this method, you will not automatically get AFS tokens, and will be unable to access files in your home directory unless they are located in your ~/Public directory (or a directory with similar permissions). You will be unable to write to any files in AFS. (Do not grant world-writable permissions on any AFS directory.)
- You can, of course, type renew to authenticate to AFS and Kerberos, but you will have to provide your password, which somewhat negates the advantage of using public key authentication in the first place.
- When logging in via this method, your dotfiles (and, by extension, the system-wide Athena dotfiles) will not be run. Common customizations and command aliases may not be available. (For example, the name of the dialup you connect to will not get written to the ~/.lastdialup file.)
To avoid the issues listed above, consider using Kerberos authentication, as described in How can I avoid having to type my password when I login to Athena remotely?
The Athena dialup servers do not consult the default ~/.ssh/authorized_keys file. Users who have already set-up public/private key pairs for OpenSSH should add their public key to the file ~/Public/.ssh/athena_dialup_authorized_keys.
- Please take care NOT to move or copy any other files in your ~/.ssh directory to avoid inadvertantly exposing any private keys.
- Please note that the ~/Public/.ssh directory must have the same AFS permissions as your ~/Public, namely it must be readable by system:anyuser.
If you do not have a public/private key pair, you may generate one using ssh-keygen, and copy the resulting public key (~/.ssh/id_rsa.pub) into the file above.