Presentation is loading. Please wait.

Presentation is loading. Please wait.

MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009.

Published bySolomon Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009."— Presentation transcript:

1 MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009

2 About Me STFC eScience Centre for 6 years NGS 1, 2 and 3 System Administrator for ngs.rl.ac.uk Software development background

3 Interactive Login For Grid Users Provide a UI box with SSH key-based access Extra VO management overhead Attractive to hackers SSH key compromise is common Provide a UI box with GSI-OpenSSH Certificate based authentication Limits the clients which can connect Short-lived delegations – less damage in a compromise

4 GSI-enabled Clients

5 GSI Enabled Clients GSI-OpenSSH Java GSI Client GSI OpenSSH Client

6 MEG = Greater Choice MEG Java GSI Client MyProxy Server GSI OpenSSH Client PuttyWinSCPNautilus FireFTP (FireFox) GFTP Linux/ Cygwin SSH Web Based SSH KonquerorSCP Cert Wizard

7 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config Overall Process: -Take user name+password - Get certificate from MyProxy -Map certificate to user account

8 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

9 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

10 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

11 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config foo/pwd

12 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config /etc/pam.d/megsisshd auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.sh auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so /etc/pam.d/megsisshd auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.sh auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so

13 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config foo/pwd

14 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config success=0 for myproxyserver in $MYPROXY_SERVER_LIST;do builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1 if [ $? -eq 0 ];then success=1 break fi done if [ $success -ne 1 ];then #fail silently exit 1 fi export X509_USER_CERT=$TMPCERT export X509_USER_KEY=$TMPCERT userid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null` if [ $? -ne 0 ];then # fail silently rm $TMPCERT exit 1 fi # put the certificate into the default Globus location chown $userid $TMPCERT chmod 400 $TMPCERT mv -f $TMPCERT /tmp/x509up_u`id -u $userid` echo $userid success=0 for myproxyserver in $MYPROXY_SERVER_LIST;do builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1 if [ $? -eq 0 ];then success=1 break fi done if [ $success -ne 1 ];then #fail silently exit 1 fi export X509_USER_CERT=$TMPCERT export X509_USER_KEY=$TMPCERT userid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null` if [ $? -ne 0 ];then # fail silently rm $TMPCERT exit 1 fi # put the certificate into the default Globus location chown $userid $TMPCERT chmod 400 $TMPCERT mv -f $TMPCERT /tmp/x509up_u`id -u $userid` echo $userid

15 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config ngs0006

16 Installing MEG Default Install Instructions for installing MEG on RHEL4, running on port 2223 wget http://forge.nesc.ac.uk/download.php/465/kgsisshd-0.7-1.src.tgzhttp://forge.nesc.ac.uk/download.php/465/kgsisshd-0.7-1.src.tgz tar zxf kgsisshd*.tgz cd kgsisshd-0.7-1 (Edit Makefile options) make install RHEL 5 needs a different PAM configuration file (will be supplied in v0.8) v0.8 will support MyProxy ports other than 7512

17 Summary 265 lines of C code (pam_remapuser) 88 lines of shell script Easily Extensible MyProxySSO works out of the box Plans to get SARoNGS better supported Popular with Scarf users MEG+SSO: 33 users (258 logins) GSI: 2 users (32 logins)

18 Inside MEG MyProxy Server(s) PAM Stack GSI OpenSSH Server (v4.7) pam_ remap user.so Auth- myproxy- user.sh Config

Download ppt "MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009."

Similar presentations

SARA Reken- en NetwerkdienstenToPoS | 3 juni 2007 More efficient job submission Evert Lammerts SARA Computing and Networking Services High Performance.

SARA Reken- en NetwerkdienstenToPoS | 3 juni 2007 More efficient job submission Evert Lammerts SARA Computing and Networking Services High Performance.
John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.

John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Radius based ssh authentication Location of Radius server – radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key WinRadius – The same config.

Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.

Introduction To The Course Network Architecture Hervey Allen Chris Evans Phil Regnauld September 3 - 4, 2009 Santiago, Chile.
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.

11 CONFIGURING AND MANAGING SHARED FOLDER SECURITY Chapter 8.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Two-factor Authentication Tutorial For NCSA Private Sector Program

Two-factor Authentication Tutorial For NCSA Private Sector Program
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
John Kewley e-Science Centre GIS and Grid Computing Workshop 13 th September 2005, Leeds Grid Middleware and GROWL John Kewley

John Kewley e-Science Centre GIS and Grid Computing Workshop 13 th September 2005, Leeds Grid Middleware and GROWL John Kewley
11 ADMINISTERING MICROSOFT WINDOWS SERVER 2003 Chapter 2.

11 ADMINISTERING MICROSOFT WINDOWS SERVER 2003 Chapter 2.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
DataStax Enterprise on Microsoft Azure. BrightView Analytics provides a robust Software-as-a-Service (SaaS) business solution, which delivers critical.

DataStax Enterprise on Microsoft Azure. BrightView Analytics provides a robust Software-as-a-Service (SaaS) business solution, which delivers critical.
Amazon EC2 Quick Start adapted from EC2_GetStarted.html.

Amazon EC2 Quick Start adapted from EC2_GetStarted.html.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Ssh: secure shell. overview Purpose Protocol specifics Configuration Security considerations Other uses.

Similar presentations

Ads by Google