National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

SSO Hub with MEG PAM Module and OpenSSH

This describes the steps involved in setting up a Single Sign-On hub that will allow users to login using standard, non-GSI ssh clients. Once logged in, users will have access to gsissh to connect to Grid resources. Users will be able to connect to the Single Sign-On hub using their MyProxy username and password. As part of authenticating the user with the MyProxy server, sshd will automatically obtain a credential from the MyProxy server and place it in the standard location so that users can then use gsissh to seemlessly access Grid resources, using GSI authentication. User authentication with the MyProxy server and downloading of the credential is done by the MEG PAM module.

Setup

Prerequisites

PAM-enabled OpenSSH server

MyProxy client

MEG

GSI-OpenSSH client

pam-devel RPM installed

Steps

The following documentation specifically deals with setting up MEG for the above mentioned purposes. For setting up the other components mentioned above, please consult the relevant documentation for those components.

1. Download the latest version of MEG

2. Make and install the MEG PAM module and associated scripts.

  $ sudo make install64-pam

3. Set the value for the environment variable MYPROXY_SERVER_LIST in /etc/auth_myproxy_user.conf to the MyProxy servers to be used. For example:

   MYPROXY_SERVER_LIST="myproxy.teragrid.org myproxy.psc.teragrid.org"

4. Set the variable MYPROXY_GET to the location of myproxy-get-delegation in /etc/auth_myproxy_user.conf For example:

   MYPROXY_GET=/usr/bin/myproxy-get-delegation

5. Comment out all other settings, especially GLOBUS_LOCATION and GSISSH, in /etc/auth_myproxy_user.conf

6. Configure /etc/pam.d/sshd to use pam_remapuser.so as in the below:

#%PAM-1.0
auth       required     pam_sepermit.so debug
auth       sufficient   pam_remapuser.so /usr/sbin/auth_myproxy_user.sh
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Testing

1. Now test the setup by logging into the machine using a standard ssh client, with a username and password that are acceptable to one of the MyProxy servers configured above. On successful authentication to one of the MyProxy servers, a credential is automatically obtained from the MyPropxy server and placed in /tmp as /tmp/x509up_uUID where UID is the UID of the user on this machine. Please note that the user's account must already exist on this machine for the user to be logged in.

2. Once logged into this hub, grid resources can be accessed using the above mentioned credential. For example:

   $ gsissh grid.example.com
should succeed using GSI authentication.

Acknowledgement

The MEG project

Last modified 12/11/14.
©2000-2019 Board of Trustees of the University of Illinois.