GT 3.9.5 GSI-OpenSSH: User's Guide
Introduction
This is a guide for using the GSI-enabled OpenSSH client. It assumes that you (or your system administrator) have already installed the GSI OpenSSH and that you have also acquired a user certificate from an appropriate Certificate Authority.
First, set the GLOBUS_LOCATION environment variable to the location of your
GSI-enabled OpenSSH installation.
It may already be set for you by your system administrator.
Then, create a proxy credential for GSI authentication by running the
grid-proxy-init program.
This is your single sign-on to the Grid.
By default, grid-proxy-init will create a proxy
credential good for 12 hours.
To create a proxy credential with a different lifetime, use the
-hours option. For example:
% grid-proxy-init -hours 8
To delete a proxy that was previously create with grid-proxy-init, run:
% grid-proxy-destroy
Getting authorized to connect to a site
Before you can connect to a site the site needs to know the identity
in your certificate so that they can map that identity to your
local account. At a minimum, the site will need to know your subject
name from your certificate. You can get your subject name by running
grid-cert-info with the -subject argument.
For example:
% grid-cert-info -subject
Email your subject to the administrator of the system you wish to connect to so that they can add your entry to the appropriate authorization files.
Once you have your proxy credential all you should have to do is run gsissh providing it with the hostname of the host you want to connect to. For example:
You should then find yourself automatically logged into your account on the remote system. If something goes wrong please see the troubleshooting section for assistance.
Command-line tools
The gsissh, gsiscp, and gsisftp commands provide the same interfaces as the standard OpenSSH ssh, scp, and sftp commands, respectively, with the added ability to perform X.509 proxy credential authentication and delegation.
gsissh
Tool description
Use the gsissh command to securely login to a remote machine.
Command syntax
gsissh [-l login_name] hostname | user@hostname [command]
gsiscp
Tool description
Use the gsiscp command to securely copy files to or from a remote machine.
Command syntax
gsiscp [-P port] [[user@]host1:]file1 [...] [[user@]host2:]destfile
gsisftp
Tool description
The gsisftp command provides an interactive interface for transferring files to and from remote machines.
Command syntax
gsisftp [[user@]host[:dir[/]]]
Graphical user interfaces
GSI-enabled OpenSSH does not provide a GUI.
Troubleshooting
Some common errors are listed below. If you need additional assistance please run gsissh with the '-vvv' argument (specifying verbose output) and send the output to your system administrator for assistance.
- GSS-API error Failuring acquiring GSSAPI
credentials: GSS_S_CREDENTIALS_EXPIRED
This means that your proxy certificate has expired. You need to run
grid-proxy-initto acquire a new proxy certificate, then run gsissh again. - The gsissh command
prompts you for a pass phrase when you run it
This could mean that you don't have a proxy certificate, try running
grid-proxy-initand then running gsissh again. It could also mean that the GSI authentication is failing for some reason and gsissh is falling back to a different authentication mechanism. Reasons that it might fail include:- The host you are connecting to does not have a GSI-enabled OpenSSH server.
- You are not authorized to use GSI authentication to the host. Contact the administrator.