MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009.

Slides:



Advertisements
Similar presentations
SARA Reken- en NetwerkdienstenToPoS | 3 juni 2007 More efficient job submission Evert Lammerts SARA Computing and Networking Services High Performance.
Advertisements

John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
MyProxy: A Multi-Purpose Grid Authentication Service
Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
Chapter One The Essence of UNIX.
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Two-factor Authentication Tutorial For NCSA Private Sector Program
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Technology on the NGS Pete Oliver NGS Operations Manager.
John Kewley e-Science Centre GIS and Grid Computing Workshop 13 th September 2005, Leeds Grid Middleware and GROWL John Kewley
11 ADMINISTERING MICROSOFT WINDOWS SERVER 2003 Chapter 2.
Guide To UNIX Using Linux Third Edition
DataStax Enterprise on Microsoft Azure. BrightView Analytics provides a robust Software-as-a-Service (SaaS) business solution, which delivers critical.
Amazon EC2 Quick Start adapted from EC2_GetStarted.html.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
© 2005,2006 NeoAccel Inc. Partners Presentation SSL VPN-Plus 2.0 Quick Start Guide.
December 8 & 9, 2005, Austin, TX SURA Cyberinfrastructure Workshop Series: Grid Technology: The Rough Guide Grid Technology: The Rough Guide Grid Building.
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
By Rashid Khan Lesson 10-From Here to There: Remote Installation of the Windows XP Professional Client.
PROGRAMMING PROJECT POLICIES AND UNIX INTRO Sal LaMarca CSCI 1302, Fall 2009.
AE6382 Secure Shell Usually referred to as ssh, the name refers to both a program and a protocol. The program ssh is one of the most useful networking.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America MyProxy server installation Emidio Giorgio.
Security, Authorisation and Authentication.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Slide 1 ASP Authentication There are basically three authentication modes Windows Passport Forms There are others through WCF You choose an authentication.
Globus Toolkit Installation Report. What is Globus Toolkit? The Globus Toolkit is an open source software toolkit used for building Grid systems.
Leveraging Globus Services to Support Climate Model Data Access Through the Earth System Grid Federation (ESGF) Brian Knosp 1, Luca Cinquini 1, Lukasz.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
The MyProxy Online Credential Repository Jim Basney NCSA
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
12th September 2007UK e-Science All Hands Meeting1 John Kewley Grid Technology Group e-Science Centre STFC Daresbury Laboratory GROWL.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Creating and running an application.
1 AHM -2-4 Sept 2003 e-Science Centre Running SRB Ananta Manandhar.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.
Hands-on security Angelines Alberto Morillas Ciemat.
Ad Hoc VO Akylbek Zhumabayev Images. Node Discovery vs. Registration VO Node Resource User discover register Resource.
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)
Unix Servers Used in This Class  Two Unix servers set up in CS department will be used for some programming projects  Machine name: eustis.eecs.ucf.edu.
Agenda Using FTP What is FTP? How to Use the FTP Program How to transfer files Using FTP.
John Kewley e-Science Centre All Hands Meeting st September, Nottingham GROWL: A Lightweight Grid Services Toolkit and Applications John Kewley.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
Client installation DIRAC Project. DIRAC Client Software  Many operations can be performed through the Web interface  Even more to come  However, certain.
A GANGA tutorial Professor Roger W.L. Jones Lancaster University.
Hands-on security Carlos Fuentes RedIRIS Madrid,26 – 30 de Octubre de 2008.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) UI Installation and Configuration Dong Xu IHEP,
Client installation Beijing, 13-15/11/2013. DIRAC Client Software Beijing, /11/2013 DIRAC Tutorial2  Many operations can be performed through the.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
Installation. All Rights Reserved © Alcatel-Lucent | Installation Module Objectives  Installation  Startup and process monitoring  Uninstallation.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
PuTTY Introduction to Web Programming Kirkwood Continuing Education by Fred McClurg © Copyright 2016, All Rights Reserved ssh client.
Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario.
RASPBERRY PI WORKSHOP.
Development Environment Basics
NTP, Syslog & Secure Shell
MyProxy Server Installation
CONTENT MANAGEMENT SYSTEM CSIR-NISCAIR, New Delhi
Creating and running applications on the NGS
Lab 1 introduction, debrief
Creating ODP regional node from scratch
Config Client Access (AS400)
Presentation transcript:

MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009

About Me STFC eScience Centre for 6 years NGS 1, 2 and 3 System Administrator for ngs.rl.ac.uk Software development background

Interactive Login For Grid Users Provide a UI box with SSH key-based access Extra VO management overhead Attractive to hackers SSH key compromise is common Provide a UI box with GSI-OpenSSH Certificate based authentication Limits the clients which can connect Short-lived delegations – less damage in a compromise

GSI-enabled Clients

GSI Enabled Clients GSI-OpenSSH Java GSI Client GSI OpenSSH Client

MEG = Greater Choice MEG Java GSI Client MyProxy Server GSI OpenSSH Client PuttyWinSCPNautilus FireFTP (FireFox) GFTP Linux/ Cygwin SSH Web Based SSH KonquerorSCP Cert Wizard

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config Overall Process: -Take user name+password - Get certificate from MyProxy -Map certificate to user account

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config foo/pwd

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config /etc/pam.d/megsisshd auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.sh auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so /etc/pam.d/megsisshd auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.sh auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config foo/pwd

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config success=0 for myproxyserver in $MYPROXY_SERVER_LIST;do builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1 if [ $? -eq 0 ];then success=1 break fi done if [ $success -ne 1 ];then #fail silently exit 1 fi export X509_USER_CERT=$TMPCERT export X509_USER_KEY=$TMPCERT userid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null` if [ $? -ne 0 ];then # fail silently rm $TMPCERT exit 1 fi # put the certificate into the default Globus location chown $userid $TMPCERT chmod 400 $TMPCERT mv -f $TMPCERT /tmp/x509up_u`id -u $userid` echo $userid success=0 for myproxyserver in $MYPROXY_SERVER_LIST;do builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1 if [ $? -eq 0 ];then success=1 break fi done if [ $success -ne 1 ];then #fail silently exit 1 fi export X509_USER_CERT=$TMPCERT export X509_USER_KEY=$TMPCERT userid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null` if [ $? -ne 0 ];then # fail silently rm $TMPCERT exit 1 fi # put the certificate into the default Globus location chown $userid $TMPCERT chmod 400 $TMPCERT mv -f $TMPCERT /tmp/x509up_u`id -u $userid` echo $userid

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config ngs0006

Installing MEG Default Install Instructions for installing MEG on RHEL4, running on port 2223 wget tar zxf kgsisshd*.tgz cd kgsisshd (Edit Makefile options) make install RHEL 5 needs a different PAM configuration file (will be supplied in v0.8) v0.8 will support MyProxy ports other than 7512

Summary 265 lines of C code (pam_remapuser) 88 lines of shell script Easily Extensible MyProxySSO works out of the box Plans to get SARoNGS better supported Popular with Scarf users MEG+SSO: 33 users (258 logins) GSI: 2 users (32 logins)

Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.