airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marlon Pierce <marpi...@iu.edu>
Subject Re: Airavata's gsissh tool and Kerberos
Date Wed, 05 Feb 2014 15:44:50 GMT
Thanks--this may be a useful variation on the "vanilla SSH" gateway use
case.  I'd guess a fair number of computing centers use Kerberos and
kerberized SSH for access.  This would allow us to combine the
advantages (?) of SSH (no grid infrastructure needs to be installed)
with GSI short term credentials (no managing of public keys).


Marlon

On 2/5/14 10:36 AM, Amila Jayasekara wrote:
> JSCH provides user authentication mechanism gssapi-with-mic. We should be
> able to use this interface to implement Kerberos based authentication. In
> the JCraft library in airvata,  we have modified default GSSAPI
> implementation to incorporate MyProxy (X.509) authentication. We may need
> to do some code level changes to get both working at the same code.
> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
> what sort of changes we need to do to get Kerberos working with JSCH. It
> could be only adding Kerbeors configuration files and JAAS configuration
> files, or it could be some code changes we need to do in GSSAPI level. We
> may need to further investigate this.
>
> In summary it should be possible to implement Kerberos authentication with
> JSCH but not sure how much work. We need to investigate some time and
> figure that out.
>
> Thanks
> Amila
>
>
> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <raminderjsingh@gmail.com>wrote:
>
>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>> library to provide the support. As of my experience, /tools/gsissh should
>> work with Kerberos authentication. I am not sure about addition to x509
>> certificate. X509 certificates are only used with myproxy server.
>>
>> Thanks
>> Raminder
>>
>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <marpierc@iu.edu> wrote:
>>
>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
>>> in addition to short term x.509 grid credentials? Or would JSCH do this
>>> out of the box?
>>>
>>>
>>> Thanks--
>>>
>>>
>>> Marlon
>>>
>>


Mime
View raw message