airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <thejaka.am...@gmail.com>
Subject Re: Airavata's gsissh tool and Kerberos
Date Wed, 05 Feb 2014 22:19:01 GMT
Yes, it seems. But better to verify.
+1 for Kerberos authentication support in GSISSH.

Thanks
Amila


On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <smarru@apache.org> wrote:

> I did not verify any of this, but the instructions say JSCH supports
> kerberos. From what I could tell the jgss tutorials help -
>
> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html
>
> Suresh
>
>
> On Feb 5, 2014, at 10:53 AM, Suresh Marru <smarru@apache.org> wrote:
>
> > I am willing to bet that jcraft supports Kerberos out of the box without
> any code changes but with only subtle configurations like what Amila
> referred below.
> >
> > + 1 on the importance of Kerberos and making it a first class supported
> protocol for credential store.
> >
> > Suresh
> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <marpierc@iu.edu> wrote:
> >
> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
> >> case.  I'd guess a fair number of computing centers use Kerberos and
> >> kerberized SSH for access.  This would allow us to combine the
> >> advantages (?) of SSH (no grid infrastructure needs to be installed)
> >> with GSI short term credentials (no managing of public keys).
> >>
> >>
> >> Marlon
> >>
> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
> >>> JSCH provides user authentication mechanism gssapi-with-mic. We should
> be
> >>> able to use this interface to implement Kerberos based authentication.
> In
> >>> the JCraft library in airvata,  we have modified default GSSAPI
> >>> implementation to incorporate MyProxy (X.509) authentication. We may
> need
> >>> to do some code level changes to get both working at the same code.
> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
> >>> what sort of changes we need to do to get Kerberos working with JSCH.
> It
> >>> could be only adding Kerbeors configuration files and JAAS
> configuration
> >>> files, or it could be some code changes we need to do in GSSAPI level.
> We
> >>> may need to further investigate this.
> >>>
> >>> In summary it should be possible to implement Kerberos authentication
> with
> >>> JSCH but not sure how much work. We need to investigate some time and
> >>> figure that out.
> >>>
> >>> Thanks
> >>> Amila
> >>>
> >>>
> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <
> raminderjsingh@gmail.com>wrote:
> >>>
> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
> >>>> library to provide the support. As of my experience, /tools/gsissh
> should
> >>>> work with Kerberos authentication. I am not sure about addition to
> x509
> >>>> certificate. X509 certificates are only used with myproxy server.
> >>>>
> >>>> Thanks
> >>>> Raminder
> >>>>
> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <marpierc@iu.edu> wrote:
> >>>>
> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos
> tickets
> >>>>> in addition to short term x.509 grid credentials? Or would JSCH
do
> this
> >>>>> out of the box?
> >>>>>
> >>>>>
> >>>>> Thanks--
> >>>>>
> >>>>>
> >>>>> Marlon
> >>>>>
> >>>>
> >>
> >
>
>

Mime
View raw message