National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

Authenticating to MyProxy from Pubcookie

Pubcookie uses authentication plugins called verifiers that can authenticate against external services such as LDAP and Kerberos. The most general of the verifiers, "fork", simply passes the username and password to an external process and bases its authentication decision on the exit value. An exit value of zero passes, and a non-zero exit value fails authentication.

Here are instructions for configuring a MyProxy verifier -- that is, a simple script that calls out to myproxy-logon for authentication -- from within Pubcookie.

Pubcookie Configuration

To configure Pubcookie, first replace the basic_verifier line in Pubcookie's config file with this:

basic_verifier: verify_fork
verify_exe: /usr/local/pubcookie/myproxy_fork.pl

Be sure to change $MYPROXY_SERVER and $GLOBUS_LOCATION (assuming myproxy-logon is in $GLOBUS_LOCATION/bin). This script will be executed by Pubcookie's CGI script, and most environment variables will probably not be set in the CGI environment.

MyProxy Verifier Script

Then, install this Perl script somewhere that Pubcookie can execute it. In this example, it is installed at /usr/local/pubcookie/myproxy_fork.pl.

direct link to script

Operation: The username and password are passed via STDIN as null-terminated strings. The script parses them and passes them to myproxy-logon.

Debugging

Unfortunately, Pubcookie verify_fork scripts are not allowed to print to STDOUT or STDERR, which means that messages from myproxy-logon will not be visible under the setup described above. Instead, to debug, you can redirect STDOUT and STDERR to files instead of to /dev/null. In the script above, replace the line

$cmd .= " >/dev/null 2>&1";

with

$cmd .= " >/tmp/pubcookie_out 2>&1";

For example, here is what you would see with an invalid MyProxy passphrase:

ERROR from server: PAM authentication failed: Permission denied
Failed to receive a proxy.

And here is a successful login:

A proxy has been received for user <username> in /tmp/x509up_u500

Last modified 04/26/06.
©2000-2017 Board of Trustees of the University of Illinois.