airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <thejaka.am...@gmail.com>
Subject Re: Airavata's gsissh tool and Kerberos
Date Thu, 06 Feb 2014 03:31:04 GMT
But we should verify. I am bit concern because we modify GSS Context to
handle MyProxy credentials and also preferred authentication mechanisms
also. So need to verify those changes does not affect default Kerberos
usage.

Thanks
Amila


On Wed, Feb 5, 2014 at 10:27 PM, Sachith Withana <swsachith@gmail.com>wrote:

> I did some searching on the subject.
>
> As Suresh said, It seems JSCH does support Kerberos out of the box.
>
> [1]
> http://epaul.github.io/jsch-documentation/javadoc/com/jcraft/jsch/GSSContext.html
> [2]
> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01075.html
>
>
>
>
>
> On Wed, Feb 5, 2014 at 5:19 PM, Amila Jayasekara <thejaka.amila@gmail.com>wrote:
>
>> Yes, it seems. But better to verify.
>> +1 for Kerberos authentication support in GSISSH.
>>
>> Thanks
>> Amila
>>
>>
>> On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <smarru@apache.org> wrote:
>>
>>> I did not verify any of this, but the instructions say JSCH supports
>>> kerberos. From what I could tell the jgss tutorials help -
>>>
>>>
>>> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
>>> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
>>>
>>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
>>>
>>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html
>>>
>>> Suresh
>>>
>>>
>>> On Feb 5, 2014, at 10:53 AM, Suresh Marru <smarru@apache.org> wrote:
>>>
>>> > I am willing to bet that jcraft supports Kerberos out of the box
>>> without any code changes but with only subtle configurations like what
>>> Amila referred below.
>>> >
>>> > + 1 on the importance of Kerberos and making it a first class
>>> supported protocol for credential store.
>>> >
>>> > Suresh
>>> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <marpierc@iu.edu> wrote:
>>> >
>>> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway
>>> use
>>> >> case.  I'd guess a fair number of computing centers use Kerberos and
>>> >> kerberized SSH for access.  This would allow us to combine the
>>> >> advantages (?) of SSH (no grid infrastructure needs to be installed)
>>> >> with GSI short term credentials (no managing of public keys).
>>> >>
>>> >>
>>> >> Marlon
>>> >>
>>> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>>> >>> JSCH provides user authentication mechanism gssapi-with-mic. We
>>> should be
>>> >>> able to use this interface to implement Kerberos based
>>> authentication. In
>>> >>> the JCraft library in airvata,  we have modified default GSSAPI
>>> >>> implementation to incorporate MyProxy (X.509) authentication. We
may
>>> need
>>> >>> to do some code level changes to get both working at the same code.
>>> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not
>>> sure
>>> >>> what sort of changes we need to do to get Kerberos working with
>>> JSCH. It
>>> >>> could be only adding Kerbeors configuration files and JAAS
>>> configuration
>>> >>> files, or it could be some code changes we need to do in GSSAPI
>>> level. We
>>> >>> may need to further investigate this.
>>> >>>
>>> >>> In summary it should be possible to implement Kerberos
>>> authentication with
>>> >>> JSCH but not sure how much work. We need to investigate some time
and
>>> >>> figure that out.
>>> >>>
>>> >>> Thanks
>>> >>> Amila
>>> >>>
>>> >>>
>>> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <
>>> raminderjsingh@gmail.com>wrote:
>>> >>>
>>> >>>> JSCH does not do this out of the box. Amila has to extend the
Jcraft
>>> >>>> library to provide the support. As of my experience, /tools/gsissh
>>> should
>>> >>>> work with Kerberos authentication. I am not sure about addition
to
>>> x509
>>> >>>> certificate. X509 certificates are only used with myproxy server.
>>> >>>>
>>> >>>> Thanks
>>> >>>> Raminder
>>> >>>>
>>> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <marpierc@iu.edu>
wrote:
>>> >>>>
>>> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos
>>> tickets
>>> >>>>> in addition to short term x.509 grid credentials? Or would
JSCH do
>>> this
>>> >>>>> out of the box?
>>> >>>>>
>>> >>>>>
>>> >>>>> Thanks--
>>> >>>>>
>>> >>>>>
>>> >>>>> Marlon
>>> >>>>>
>>> >>>>
>>> >>
>>> >
>>>
>>>
>>
>
>
> --
> Thanks,
> Sachith Withana
>
>

Mime
View raw message