National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

SSO Hub with MEG PAM Module and OpenSSH

This describes the steps involved in setting up a Single Sign-On hub that will allow users to login using standard, non-GSI ssh clients. Once logged in, users will have access to gsissh to connect to Grid resources. Users will be able to connect to the Single Sign-On hub using their MyProxy username and password. As part of authenticating the user with the MyProxy server, sshd will automatically obtain a credential from the MyProxy server and place it in the standard location so that users can then use gsissh to seemlessly access Grid resources, using GSI authentication. User authentication with the MyProxy server and downloading of the credential is done by the MEG PAM module.



PAM-enabled OpenSSH server

MyProxy client


GSI-OpenSSH client

pam-devel RPM installed


The following documentation specifically deals with setting up MEG for the above mentioned purposes. For setting up the other components mentioned above, please consult the relevant documentation for those components.

1. Download the latest version of MEG

2. Make and install the MEG PAM module and associated scripts.

  $ sudo make install64-pam

3. Set the value for the environment variable MYPROXY_SERVER_LIST in /etc/auth_myproxy_user.conf to the MyProxy servers to be used. For example:


4. Set the variable MYPROXY_GET to the location of myproxy-get-delegation in /etc/auth_myproxy_user.conf For example:


5. Comment out all other settings, especially GLOBUS_LOCATION and GSISSH, in /etc/auth_myproxy_user.conf

6. Configure /etc/pam.d/sshd to use as in the below:

auth       required debug
auth       sufficient /usr/sbin/
auth       include      password-auth
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required skel=/etc/skel/ umask=0022
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    optional force revoke
session    include      password-auth


1. Now test the setup by logging into the machine using a standard ssh client, with a username and password that are acceptable to one of the MyProxy servers configured above. On successful authentication to one of the MyProxy servers, a credential is automatically obtained from the MyPropxy server and placed in /tmp as /tmp/x509up_uUID where UID is the UID of the user on this machine. Please note that the user's account must already exist on this machine for the user to be logged in.

2. Once logged into this hub, grid resources can be accessed using the above mentioned credential. For example:

   $ gsissh
should succeed using GSI authentication.


The MEG project

Last modified 12/11/14.
©2000-2019 Board of Trustees of the University of Illinois.