Goal

This page briefly explains how to setup your own GSI-OpenSSH server and use it as a out-of-the box service to transfer files produced by Grid jobs (e.g DIANE workers) back to the DIANE Master or to some other not Grid-aware Linux machine.

Installation and Configuration

Download Globus Toolkit 4

Don't be scared, it is quite large but we'll install only gsi-openssh server/client

It is recommended to install from root account in order to use the pre-existing configuration files of your OpenSSH server

# cd /usr/local/src
# wget http://www-unix.globus.org/ftppub/gt4/4.0/4.0.5/installers/src/gt4.0.5-all-source-installer.tar.bz2
# tar xjvf gt4.0.5-all-source-installer.tar.bz2
# cd gt4.0.5-all-source-installer

Build

# ./configure --prefix=/opt/globus --with-gsiopensshargs="--with-md5-passwords --without-zlib-version-check"
# make gsi-openssh
# make install

If everything went fine you're the lucky owner of a new brand-new GSI enabled OpenSSH server ready to join the GRID.

Configuration

Minimal GSI setup

Install lcg-CA rpm:

# cat >/etc/yum.repos.d/lcg-CA.repo <<EOF
[lcg-ca]
name=lcg-ca
baseurl=http://linuxsoft.cern.ch/LCG-CAs/current
enabled=1
protect=1
EOF

# yum clean all
# yum update
# yum install lcg-CA

Host Certificates

Before starting GSI-OpenSSH, make sure you get a valid certificate from your CA for your host. A valid certificate consists of two small files : hostcert.pem and hostkey.pem. Place those files in the /etc/grid-security directory and change permission as follows

# chmod 400 hostkey.pem
# chmod 644 hostcert.pem

Configure and start GSI-OpenSSSH server

Set the port to listen on

$ vim /op/globus/etc/ssh/sshd_config

Uncomment/change the following parameters:

Port 20001
ListenAddress 0.0.0.0

Authorizing users

Any users that you want to be authorized to use GSI to connect to your system need to be listed in your /etc/grid-security/grid-mapfile Each line in this file represents a mapping between the Grid Identity (DN) and a local account

Example:

"/O=GRID-FR/C=RO/O=UPB/OU=CSE/CN=Adrian Muraru" amuraru

If you want to use a different grid-mapfile for your SSH server for a better control of the list of users authorized to connect to your host you need to set GRIDMAP environment variable in /opt/globus/SXXsshd script

Start the server

# /opt/globus/SXXsshd start

Test

References

-- AdrianMuraru - 02 Aug 2007

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2007-08-03 - AdrianMuraru
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    ArdaGrid All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback