Please note that these documents are for an OBSOLETE version of the Globus Toolkit. For more information see 5.2 End of Life

GT 5.2.2 Release Notes: GSI-OpenSSH

1. Component Overview

GSI-OpenSSH is a modified version of OpenSSH that adds support for X.509 proxy certificate authentication and delegation, providing a single sign-on remote login and file transfer service. GSI-OpenSSH can be used to login to remote systems and transfer files between systems without entering a password, relying instead on a valid proxy credential for authentication. GSI-OpenSSH forwards proxy credentials to the remote system on login, so commands requiring proxy credentials (including GSI-OpenSSH commands) can be used on the remote system without the need to manually create a new proxy credential on that system. For more information about GSI-OpenSSH, see the GSI-OpenSSH Home Page.

2. Feature summary

Supported Features

  • The gsissh command provides a secure remote login service with forwarding of X.509 proxy credentials.
  • The gsiscp and gsisftp commands provide a secure file transfer service authenticated with X.509 proxy credentials, mimicking the rcp/scp and ftp/sftp commands.
  • All standard OpenSSH features are supported, excluding Kerberos authentication. Kerberos authentication is not compatible with GSI-enabled OpenSSH.
  • The GSI-OpenSSH server can replace the standard system SSH server in typical environments.
  • If no username is given on the command-line, GSI-OpenSSH automatically determines the username that corresponds to the X.509 proxy certificate subject in the server's grid-mapfile.

Deprecated Features

  • None

3. Summary of Changes in Util OpenSSH

GT 5.2.2 contains GSI-OpenSSH 5.5. See the GSI-OpenSSH Release History for more details on this and other GSI-OpenSSH versions.

4. Fixed Bugs for Util OpenSSH

See the GSI OpenSSH 5.5 Announcement for a list of fixes in this release.

5. Known Problems in Util OpenSSH


6. Technology dependencies

GSI-OpenSSH depends on the following GT components:

GSI-OpenSSH depends on the following 3rd party software:

7. Tested platforms

Tested Platforms for GSI-OpenSSH

  • Mac OS X 10.5
  • x86/x86_64 GNU/Linux
  • PPC AIX 5.3
  • Sun4u Solaris 5.10

8. Backward compatibility summary

GSI-OpenSSH is backward compatible.

9. Associated Standards

Associated standards for GSI-OpenSSH:

10. For More Information

See GSI-OpenSSH more information about this component.



certificate subject

An identifier for the certificate owner, e.g. "/DC=org/DC=doegrids/OU=People/CN=John Doe 123456". The subject is part of the information the CA binds to a public key when creating a certificate.


proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see

proxy credentials

The combination of a proxy certificate and its corresponding private key. GSI typically stores proxy credentials in /tmp/x509up_u<uid> , where <uid> is the user id of the proxy owner.