GT 5.0.0 Release Notes: GSI-OpenSSH

1. Component Overview

GSI-OpenSSH is a modified version of OpenSSH that adds support for X.509 proxy certificate authentication and delegation, providing a single sign-on remote login and file transfer service. GSI-OpenSSH can be used to login to remote systems and transfer files between systems without entering a password, relying instead on a valid proxy credential for authentication. GSI-OpenSSH forwards proxy credentials to the remote system on login, so commands requiring proxy credentials (including GSI-OpenSSH commands) can be used on the remote system without the need to manually create a new proxy credential on that system. For more information about GSI-OpenSSH, see the GSI-OpenSSH Home Page.

2. Feature summary

Features new in GT 5.0.0

  • None.

Other Supported Features

  • The gsissh command provides a secure remote login service with forwarding of X.509 proxy credentials.
  • The gsiscp and gsisftp commands provide a secure file transfer service authenticated with X.509 proxy credentials, mimicking the rcp/scp and ftp/sftp commands.
  • All standard OpenSSH features are supported, excluding Kerberos authentication. Kerberos authentication is not compatible with GSI-enabled OpenSSH.
  • The GSI-OpenSSH server can replace the standard system SSH server in typical environments.
  • If no username is given on the command-line, GSI-OpenSSH automatically determines the username that corresponds to the X.509 proxy certificate subject in the server's grid-mapfile.

Deprecated Features

  • None

3. Summary of Changes in GSI-OpenSSH

GT 5.0.0 contains GSI-OpenSSH version 4.7. GSI-OpenSSH clients now attempt only GSI authentication by default, rather than the confusing behavior of attempting other SSH authentication methods when GSI authentication fails. (The GSI-OpenSSH server still supports both GSI and non-GSI authentication methods by default, for compatibility with both GSI and non-GSI clients.) See the GSI-OpenSSH Release History for more details on this and other GSI-OpenSSH versions.

4. Bug Fixes

See the GSI-OpenSSH Release History for details.

5. Known Problems

The following problems and limitations are known to exist for GSI-OpenSSH at the time of the 5.0.0 release:

5.1. Limitations

  • No known limitations exist.

5.2. Outstanding bugs

No bugs are known to exist for GSI-OpenSSH.

6. Technology dependencies

GSI-OpenSSH depends on the following GT components:

GSI-OpenSSH depends on the following 3rd party software:

7. Tested platforms

Tested Platforms for GSI-OpenSSH

  • Mac OS X 10.5
  • x86/x86_64 GNU/Linux
  • PPC AIX 5.3
  • Sun4u Solaris 5.10

8. Backward compatibility summary

GSI-OpenSSH is backward compatible.

9. Associated Standards

Associated standards for GSI-OpenSSH:

10. For More Information

See GSI-OpenSSH more information about this component.



certificate subject

An identifier for the certificate owner, e.g. "/DC=org/DC=doegrids/OU=People/CN=John Doe 123456". The subject is part of the information the CA binds to a public key when creating a certificate.


proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see

proxy credentials

The combination of a proxy certificate and its corresponding private key. GSI typically stores proxy credentials in /tmp/x509up_u<uid> , where <uid> is the user id of the proxy owner.