GT 6.0 Component Guide to Public Interfaces: GSI-OpenSSH


GSI-OpenSSH Commands

Chapter 1. Introduction

The gsissh, gsiscp, and gsiftp commands provide the same interfaces as the standard OpenSSH ssh, scp, and sftp commands, respectively, with the added ability to perform X.509 proxy credential authentication and delegation.

Chapter 2. GSISSH(1)

1. NAME

gsissh - Secure remote login

2. SYNOPSIS

gsissh

3. Tool description

Use the gsissh command to securely login to a remote machine.

4. Command syntax

gsissh [-l login_name] hostname | user@hostname [command]

Chapter 3. GSISCP(1)

1. NAME

gsiscp - Secure remote file copy

2. SYNOPSIS

gsiscp

3. Tool description

Use the gsiscp command to securely copy files to or from a remote machine.

4. Command syntax

gsiscp [-P port] [[user@]host1:]file1 […] [[user@]host2:]destfile

Chapter 4. GSISFTP(1)

1. NAME

gsisftp - Secure file transfer

2. SYNOPSIS

gsisftp

3. Tool description

The gsisftp command provides an interactive interface for transferring files to and from remote machines.

4. Command syntax

gsisftp [[user@host[:dir[/]]] ]

Chapter 5. Configuring

The GSI-enabled OpenSSH software is installed with a default set of configuration files, described below. You may want to modify the ssh_config file before using the clients and the file before using the clients and the sshd_config file before using the server. file before using the server.

If the GSI-enabled OpenSSH install script finds existing SSH key pairs, it will create symbolic links to them rather than generating new key pairs. The SSH key pairs are not required for GSI authentication. However, if you wish to support other SSH authentication methods, make sure the sshd (running as root) can read the key pair files (i.e., beware of NFS mounts with root_squash). If running multiple sshds on a system, we recommend configuring them so they all use the same key pairs (i.e., use symbolic links) to avoid client-side confusion.

  • $GLOBUS_LOCATION/etc/ssh/moduli
  • $GLOBUS_LOCATION/etc/ssh/ssh_config
  • $GLOBUS_LOCATION/etc/ssh/ssh_host_key[.pub]
  • $GLOBUS_LOCATION/etc/ssh/ssh_host_dsa[.pub]
  • $GLOBUS_LOCATION/etc/ssh/ssh_host_rsa[.pub]
  • $GLOBUS_LOCATION/etc/ssh/ssh_prng_cmds
  • $GLOBUS_LOCATION/etc/ssh/sshd_config

Chapter 6. Environment variable interface

1. Environmental variables for GSI-OpenSSH

The GSI-enabled OpenSSHD needs to be able to find certain files and directories in order to properly function.

The items that OpenSSHD needs to be able to locate, their default location and the environment variable to override the default location are:

  • Host key
  • Host certificate
  • Grid map file
  • Certificate directory

Chapter 7. Errors

Table of Contents

1. Errors

1. Errors

Table 7.1. GSI-OpenSSH Errors

Error Code Definition Possible Solutions

GSS-API error Failure acquiring GSSAPI credentials: GSS_S_CREDENTIALS_EXPIRED

This means that your proxy certificate has expired.

Run grid-proxy-init to acquire a new proxy certificate, then run gsissh again.

…no proxy credentials…

Failing to run grid-proxy-init to create a user proxy with which to connect will result in the client notifying you that no local credentials exist. Any attempt to authenticate using GSI will fail in this case.

Verify that your GSI proxy has been properly initialized via grid-proxy-info. If you need to initialize the proxy, use the command grid-proxy-init.

…bad file system permissions on private key; key must only be readable by the user…

The host key that the SSH server is using for GSI authentication must only be readable by the user which owns it. Any other permissions will cause this error.

Make sure that the host key’s UNIX permissions are mode 400 (that is, it should only have mode readable for the user that owns the file, and no other mode bits should be set).

…gssapi received empty username; failed to set username from gssapi context; Failed external-keyx for <user> from <host> <port>…

If the server was passed an "implicit username" (i.e. requested to map the incoming connection to a username based on some contextual clues such as the certificate’s subject), and no entry exists in the grid-mapfile for the incoming connection’s certificate subject, the server should output a clue that states it is unable to set the username against which to authenticate.

Add an entry for the user to the gridmap file.

…INTERNAL ERROR: authenticated invalid user xxx…

If the subject name given in the system’s grid-mapfile points to a non-existent user, the server will give an internal error which is best caught when it is running in debugging mode.

Add a new account to the system matching the username pointed at by the user’s subject in the grid-mapfile.

…gssapi received empty username; no suitable client data; failed to set username from gssapi context; Failed external-keyx for <user> from <host> <port>…

Should the user attempt to connect without first creating a proxy certificate, or if the user is connecting via a SSH client that does not support GSI authentication, the server will note that no GSSAPI data was sent to it. Verify that the client is able to connect through another GSI service (such as the gatekeeper) to make sure that the user’s proxy has been created correctly.

Verify that you are using a GSI-enabled SSH client and that your GSI proxy has been properly initialized via grid-proxy-info. If you need to initialize this proxy, use the command grid-proxy-init.