FOI: "password less" login to kerberos-"powered" systems (e.g. discovery)

[yarikoptic]

Information was posted to https://github.com/dbic/handbook/blob/master/src/discovery.md#password-less-authentication-for-ssh . Would be nice to test it working with reproman/datalad tandem, and tune up anything needed to be tuned up for scheduling tasks on their PBS

[yarikoptic]

ATM our setup to login via paramiko tries to access a key to be used even if I don't want to. After I enter empty one, it pukes, proceeds to password authentication, I enter password and it again proceeds to key, pukes and doesn't login.

$> reproman login discovery
Exception: key cannot be used for signing
Traceback (most recent call last):
  File "/home/yoh/proj/repronim/reproman/venvs/dev3/lib/python3.7/site-packages/paramiko/transport.py", line 2109, in run
    handler(self.auth_handler, m)
  File "/home/yoh/proj/repronim/reproman/venvs/dev3/lib/python3.7/site-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept
    sig = self.private_key.sign_ssh_data(blob)
  File "/home/yoh/proj/repronim/reproman/venvs/dev3/lib/python3.7/site-packages/paramiko/agent.py", line 418, in sign_ssh_data
    raise SSHException("key cannot be used for signing")
paramiko.ssh_exception.SSHException: key cannot be used for signing

Password for discovery: 
Exception: key cannot be used for signing
Traceback (most recent call last):
  File "/home/yoh/proj/repronim/reproman/venvs/dev3/lib/python3.7/site-packages/paramiko/transport.py", line 2109, in run
    handler(self.auth_handler, m)
  File "/home/yoh/proj/repronim/reproman/venvs/dev3/lib/python3.7/site-packages/paramiko/auth_handler.py", line 298, in _parse_service_accept
    sig = self.private_key.sign_ssh_data(blob)
  File "/home/yoh/proj/repronim/reproman/venvs/dev3/lib/python3.7/site-packages/paramiko/agent.py", line 418, in sign_ssh_data
    raise SSHException("key cannot be used for signing")
paramiko.ssh_exception.SSHException: key cannot be used for signing

2019-12-10 14:56:43,405 [ERROR  ] No existing session [transport.py:auth_password:1498] (SSHException) 

paramiko is 2.6.0 , fabric 2.4.0 . upgrade to fabric-2.5.0 invoke-1.3.0 paramiko-2.7.1 changes nothing.

My ~/.ssh/config:

Host discovery7 discovery*.hpcc.dartmouth.edu
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials yes

and configuration for discovery resource in our inventory

discovery:
  host: discovery7
  id: 88a9e369-7780-489e-a255-5a34d1b1717b
  key_filename: null
  name: discovery
  port: null
  status: CONNECTION ERROR
  type: ssh
  user: d31548v

[yarikoptic]

for GSSAPI there is support in paramiko (since 1.15) and for fabric there is a PR: https://github.com/fabric/fabric/pull/1795 . I will git it a try and report back.

Note: requires installation of python3-gssapi (debian pkg). requires devel libraries to install via pypi so could be painful. Otherwise paramiko would puke "ImportError: Unable to import a GSS-API / SSPI module!" exception

[yarikoptic]

it works!

```shell $> reproman login discovery [d31548v@discovery7 ~]$ ```

[yarikoptic]

FWIW, and FMI (for my information as memory supplement). Had that exception ("ImportError: Unable to import a GSS-API / SSPI module!") again, and it was due to

$> python -c 'import gssapi'             
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/gssapi/__init__.py", line 29, in <module>
    from gssapi.raw.types import NameType, RequirementFlag, AddressType  # noqa
  File "/usr/lib/python3/dist-packages/gssapi/raw/__init__.py", line 50, in <module>
    from gssapi.raw.creds import *  # noqa
ModuleNotFoundError: No module named 'gssapi.raw.creds'

which was due to python being 3.7 here in virualenv, whenever system wide now 3.8 and debian python3-gssapi provides built extensions only for it. So had to wipe out and recreate virtualenv, and then it worked fine