airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sachith Withana <swsach...@gmail.com>
Subject Re: Airavata's gsissh tool and Kerberos
Date Thu, 06 Feb 2014 03:27:38 GMT
I did some searching on the subject.

As Suresh said, It seems JSCH does support Kerberos out of the box.

[1]
http://epaul.github.io/jsch-documentation/javadoc/com/jcraft/jsch/GSSContext.html
[2]
https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01075.html





On Wed, Feb 5, 2014 at 5:19 PM, Amila Jayasekara <thejaka.amila@gmail.com>wrote:

> Yes, it seems. But better to verify.
> +1 for Kerberos authentication support in GSISSH.
>
> Thanks
> Amila
>
>
> On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <smarru@apache.org> wrote:
>
>> I did not verify any of this, but the instructions say JSCH supports
>> kerberos. From what I could tell the jgss tutorials help -
>>
>>
>> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
>> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html
>>
>> Suresh
>>
>>
>> On Feb 5, 2014, at 10:53 AM, Suresh Marru <smarru@apache.org> wrote:
>>
>> > I am willing to bet that jcraft supports Kerberos out of the box
>> without any code changes but with only subtle configurations like what
>> Amila referred below.
>> >
>> > + 1 on the importance of Kerberos and making it a first class supported
>> protocol for credential store.
>> >
>> > Suresh
>> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <marpierc@iu.edu> wrote:
>> >
>> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
>> >> case.  I'd guess a fair number of computing centers use Kerberos and
>> >> kerberized SSH for access.  This would allow us to combine the
>> >> advantages (?) of SSH (no grid infrastructure needs to be installed)
>> >> with GSI short term credentials (no managing of public keys).
>> >>
>> >>
>> >> Marlon
>> >>
>> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>> >>> JSCH provides user authentication mechanism gssapi-with-mic. We
>> should be
>> >>> able to use this interface to implement Kerberos based
>> authentication. In
>> >>> the JCraft library in airvata,  we have modified default GSSAPI
>> >>> implementation to incorporate MyProxy (X.509) authentication. We may
>> need
>> >>> to do some code level changes to get both working at the same code.
>> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not
>> sure
>> >>> what sort of changes we need to do to get Kerberos working with JSCH.
>> It
>> >>> could be only adding Kerbeors configuration files and JAAS
>> configuration
>> >>> files, or it could be some code changes we need to do in GSSAPI
>> level. We
>> >>> may need to further investigate this.
>> >>>
>> >>> In summary it should be possible to implement Kerberos authentication
>> with
>> >>> JSCH but not sure how much work. We need to investigate some time and
>> >>> figure that out.
>> >>>
>> >>> Thanks
>> >>> Amila
>> >>>
>> >>>
>> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <
>> raminderjsingh@gmail.com>wrote:
>> >>>
>> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>> >>>> library to provide the support. As of my experience, /tools/gsissh
>> should
>> >>>> work with Kerberos authentication. I am not sure about addition
to
>> x509
>> >>>> certificate. X509 certificates are only used with myproxy server.
>> >>>>
>> >>>> Thanks
>> >>>> Raminder
>> >>>>
>> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <marpierc@iu.edu>
wrote:
>> >>>>
>> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos
>> tickets
>> >>>>> in addition to short term x.509 grid credentials? Or would JSCH
do
>> this
>> >>>>> out of the box?
>> >>>>>
>> >>>>>
>> >>>>> Thanks--
>> >>>>>
>> >>>>>
>> >>>>> Marlon
>> >>>>>
>> >>>>
>> >>
>> >
>>
>>
>


-- 
Thanks,
Sachith Withana

Mime
View raw message