airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <>
Subject Re: Airavata's gsissh tool and Kerberos
Date Wed, 05 Feb 2014 22:07:26 GMT
I did not verify any of this, but the instructions say JSCH supports kerberos. From what I
could tell the jgss tutorials help -


On Feb 5, 2014, at 10:53 AM, Suresh Marru <> wrote:

> I am willing to bet that jcraft supports Kerberos out of the box without any code changes
but with only subtle configurations like what Amila referred below.
> + 1 on the importance of Kerberos and making it a first class supported protocol for
credential store.
> Suresh 
> On Feb 5, 2014, at 10:44 AM, Marlon Pierce <> wrote:
>> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
>> case.  I'd guess a fair number of computing centers use Kerberos and
>> kerberized SSH for access.  This would allow us to combine the
>> advantages (?) of SSH (no grid infrastructure needs to be installed)
>> with GSI short term credentials (no managing of public keys).
>> Marlon
>> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>>> JSCH provides user authentication mechanism gssapi-with-mic. We should be
>>> able to use this interface to implement Kerberos based authentication. In
>>> the JCraft library in airvata,  we have modified default GSSAPI
>>> implementation to incorporate MyProxy (X.509) authentication. We may need
>>> to do some code level changes to get both working at the same code.
>>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
>>> what sort of changes we need to do to get Kerberos working with JSCH. It
>>> could be only adding Kerbeors configuration files and JAAS configuration
>>> files, or it could be some code changes we need to do in GSSAPI level. We
>>> may need to further investigate this.
>>> In summary it should be possible to implement Kerberos authentication with
>>> JSCH but not sure how much work. We need to investigate some time and
>>> figure that out.
>>> Thanks
>>> Amila
>>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <>wrote:
>>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>>>> library to provide the support. As of my experience, /tools/gsissh should
>>>> work with Kerberos authentication. I am not sure about addition to x509
>>>> certificate. X509 certificates are only used with myproxy server.
>>>> Thanks
>>>> Raminder
>>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <> wrote:
>>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
>>>>> in addition to short term x.509 grid credentials? Or would JSCH do this
>>>>> out of the box?
>>>>> Thanks--
>>>>> Marlon

View raw message