airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <sma...@apache.org>
Subject Re: Airavata's gsissh tool and Kerberos
Date Wed, 05 Feb 2014 22:07:26 GMT
I did not verify any of this, but the instructions say JSCH supports kerberos. From what I
could tell the jgss tutorials help - 

https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html

Suresh


On Feb 5, 2014, at 10:53 AM, Suresh Marru <smarru@apache.org> wrote:

> I am willing to bet that jcraft supports Kerberos out of the box without any code changes
but with only subtle configurations like what Amila referred below.
> 
> + 1 on the importance of Kerberos and making it a first class supported protocol for
credential store.
> 
> Suresh 
> On Feb 5, 2014, at 10:44 AM, Marlon Pierce <marpierc@iu.edu> wrote:
> 
>> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
>> case.  I'd guess a fair number of computing centers use Kerberos and
>> kerberized SSH for access.  This would allow us to combine the
>> advantages (?) of SSH (no grid infrastructure needs to be installed)
>> with GSI short term credentials (no managing of public keys).
>> 
>> 
>> Marlon
>> 
>> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>>> JSCH provides user authentication mechanism gssapi-with-mic. We should be
>>> able to use this interface to implement Kerberos based authentication. In
>>> the JCraft library in airvata,  we have modified default GSSAPI
>>> implementation to incorporate MyProxy (X.509) authentication. We may need
>>> to do some code level changes to get both working at the same code.
>>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
>>> what sort of changes we need to do to get Kerberos working with JSCH. It
>>> could be only adding Kerbeors configuration files and JAAS configuration
>>> files, or it could be some code changes we need to do in GSSAPI level. We
>>> may need to further investigate this.
>>> 
>>> In summary it should be possible to implement Kerberos authentication with
>>> JSCH but not sure how much work. We need to investigate some time and
>>> figure that out.
>>> 
>>> Thanks
>>> Amila
>>> 
>>> 
>>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <raminderjsingh@gmail.com>wrote:
>>> 
>>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>>>> library to provide the support. As of my experience, /tools/gsissh should
>>>> work with Kerberos authentication. I am not sure about addition to x509
>>>> certificate. X509 certificates are only used with myproxy server.
>>>> 
>>>> Thanks
>>>> Raminder
>>>> 
>>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <marpierc@iu.edu> wrote:
>>>> 
>>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
>>>>> in addition to short term x.509 grid credentials? Or would JSCH do this
>>>>> out of the box?
>>>>> 
>>>>> 
>>>>> Thanks--
>>>>> 
>>>>> 
>>>>> Marlon
>>>>> 
>>>> 
>> 
> 


Mime
View raw message