Software Links

Usage Statistics
Release Notes
Versioning
Downloads
Advisories
Licenses
CVS & Dev Tools

Getting Started

A Globus Primer
Globus Is Modular!
Installing GT
Quickstart
Platform Notes
GT Developer's Guide
GT User's Guide
Migrating Guides

Reference

Best Practices
Coding Guidelines
API docs
GT Commands
Public Interfaces
Resource Properties
Samples
Glossary

Manuals

Common Runtime

Java WS Core
C WS Core
Python WS Core
XIO
CoG jGlobus
pyGlobus
C Common Libs

Security

GSI C
GSI Java
Java WS A&A
C WS A&A
CAS
Delegation Service
MyProxy
GSI-OpenSSH
SimpleCA

Data Mgt

GridFTP
RFT
RLS
WS RLS
DRS

WS MDS

Index Service
Trigger Service
WebMDS
Aggregator Framework
UsefulRP
Info Providers

Execution Mgt

GRAM4
GridWay
GRAM2 (legacy)

GT 4.2.1 Release Notes: GSI-OpenSSH

Table of Contents

1. Component Overview
2. Feature summary
3. Summary of Changes in GSI-OpenSSH
4. Bug Fixes
5. Known Problems
5.1. Limitations
5.2. Outstanding bugs
6. Technology dependencies
7. Tested platforms
8. Backward compatibility summary
9. Associated Standards
10. For More Information
Glossary

1. Component Overview

GSI-OpenSSH is a modified version of OpenSSH that adds support for X.509 proxy certificate authentication and delegation, providing a single sign-on remote login and file transfer service. GSI-OpenSSH can be used to login to remote systems and transfer files between systems without entering a password, relying instead on a valid proxy credential for authentication. GSI-OpenSSH forwards proxy credentials to the remote system on login, so commands requiring proxy credentials (including GSI-OpenSSH commands) can be used on the remote system without the need to manually create a new proxy credential on that system.

2. Feature summary

Features new in GT 4.2.1

  • None.

Other Supported Features

  • The gsissh command provides a secure remote login service with forwarding of X.509 proxy credentials.
  • The gsiscp and gsisftp commands provide a secure file transfer service authenticated with X.509 proxy credentials, mimicking the rcp/scp and ftp/sftp commands.
  • All standard OpenSSH features are supported, excluding Kerberos authentication. Kerberos authentication is not compatible with GSI-enabled OpenSSH.
  • The GSI-OpenSSH server can replace the standard system SSH server in typical environments.
  • If no username is given on the command-line, GSI-OpenSSH automatically determines the username that corresponds to the X.509 proxy certificate subject in the server's grid-mapfile.

Deprecated Features

  • None

3. Summary of Changes in GSI-OpenSSH

  • Updated GPT package from 4.3 to 4.4.
  • Upgraded to OpenSSH 5.1p1.
  • Upgraded to HPN13v5.
  • Added server-side GSSAPIDelegateCredentials option.

4. Bug Fixes

  • Bug 6236: Server fails to close connection with UsePrivilegeSeparation=yes

5. Known Problems

The following problems and limitations are known to exist for GSI-OpenSSH at the time of the 4.2.1 release:

5.1. Limitations

  • No known limitations exist.

5.2. Outstanding bugs

No bugs are known to exist for GSI-OpenSSH.

6. Technology dependencies

GSI-enabled OpenSSH depends on the following GT components:

  • Non-WS Authentication and Authorization

GSI-enabled OpenSSH depends on the following 3rd party software:

7. Tested platforms

Tested Platforms for GSI-OpenSSH

  • Mac OS X 10.3
  • i686 GNU/Linux
  • ia64 GNU/Linux

8. Backward compatibility summary

Protocol changes since GT 4.2.0

  • None.

API changes since GT 4.2.0

  • None.

Exception changes since GT 4.2.0

  • Not applicable

Schema changes since GT 4.2.0

  • Not applicable

9. Associated Standards

Associated standards for GSI-OpenSSH:

10. For More Information

See GSI-OpenSSH more information about this component.

Glossary

C

certificate subject

An identifier for the certificate owner, e.g. "/DC=org/DC=doegrids/OU=People/CN=John Doe 123456". The subject is part of the information the CA binds to a public key when creating a certificate.

P

proxy certificate

A short lived certificate issued using a EEC. A proxy certificate typically has the same effective subject as the EEC that issued it and can thus be used in its place. GSI uses proxy certificates for single sign on and delegation of rights to other entities.

For more information about types of proxy certificates and their compatibility in different versions of GT, see http://dev.globus.org/wiki/Security/ProxyCertTypes.

proxy credentials

The combination of a proxy certificate and its corresponding private key. GSI typically stores proxy credentials in /tmp/x509up_u<uid> , where <uid> is the user id of the proxy owner.