SSO Hub with MEG PAM Module and OpenSSH
This describes the steps involved in setting up a Single Sign-On hub that will allow users to login using standard, non-GSI ssh clients. Once logged in, users will have access to gsissh to connect to Grid resources. Users will be able to connect to the Single Sign-On hub using their MyProxy username and password. As part of authenticating the user with the MyProxy server, sshd will automatically obtain a credential from the MyProxy server and place it in the standard location so that users can then use gsissh to seemlessly access Grid resources, using GSI authentication. User authentication with the MyProxy server and downloading of the credential is done by the MEG PAM module.
PAM-enabled OpenSSH server
pam-devel RPM installed
The following documentation specifically deals with setting up MEG for the above mentioned purposes. For setting up the other components mentioned above, please consult the relevant documentation for those components.
1. Download the latest version of MEG
2. Make and install the MEG PAM module and associated scripts.
$ sudo make install64-pam
3. Set the value for the environment variable MYPROXY_SERVER_LIST in /etc/auth_myproxy_user.conf to the MyProxy servers to be used. For example:
4. Set the variable MYPROXY_GET to the location of myproxy-get-delegation in /etc/auth_myproxy_user.conf For example:
5. Comment out all other settings, especially GLOBUS_LOCATION and GSISSH, in /etc/auth_myproxy_user.conf
6. Configure /etc/pam.d/sshd to use pam_remapuser.so as in the below:
#%PAM-1.0 auth required pam_sepermit.so debug auth sufficient pam_remapuser.so /usr/sbin/auth_myproxy_user.sh auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
1. Now test the setup by logging into the machine using a standard ssh client, with a username and password that are acceptable to one of the MyProxy servers configured above. On successful authentication to one of the MyProxy servers, a credential is automatically obtained from the MyPropxy server and placed in /tmp as /tmp/x509up_uUID where UID is the UID of the user on this machine. Please note that the user's account must already exist on this machine for the user to be logged in.
2. Once logged into this hub, grid resources can be accessed using the above mentioned credential. For example:
$ gsissh grid.example.comshould succeed using GSI authentication.
The MEG project