Single Sign-on with MyProxy and GSISSH on TeraGrid

What follows are instructions for using MyProxy and GSISSH for single sign-on to TeraGrid systems from a Unix/Linux/OSX system. Windows users should try GSI-SSHTerm instead. The TeraGrid MyProxy server is configured to allow all TeraGrid users to obtain PKI credentials using their TeraGrid Portal username and password. This is an example of how the MyProxy CA can be integrated with an existing authentication service (in this case, the TERAGRID.ORG Kerberos domain) for PKI credential issuance.

Install MyProxy and GSISSH

$ which myproxy-logon gsissh
/usr/local/globus/bin/myproxy-logon
/usr/local/globus/bin/gsissh

then you can proceed to the next step. Otherwise, you need to install the needed commands as follows.

First, download and unpack a Globus Toolkit installer for your system from http://www.globus.org/toolkit/downloads/. Use a binary installer if one is available. Otherwise, a source installer is required.

Warnings from configure about Ant and Java can be ignored, as they won't be needed for installing MyProxy and GSISSH.

$ cd gt4*-installer
$ ./configure --prefix=$HOME/globus
$ make gsi-myproxy gsi-openssh
$ make install

If you're not sure if you have a C or Bourne shell, just try both options and see which one works without errors.

$ setenv GLOBUS_LOCATION $HOME/globus
$ source $GLOBUS_LOCATION/etc/globus-user-env.csh

$ GLOBUS_LOCATION=$HOME/globus
$ export GLOBUS_LOCATION
$ . $GLOBUS_LOCATION/etc/globus-user-env.sh

Add these environment setting commands to your .cshrc, .login, .bashrc, or .profile file in your home directory so you don't need to run them again later.

Obtain your certificate from MyProxy

If you have previously run myproxy-init to store a credential on the myproxy.teragrid.org server then myproxy-logon will use your stored credential, and you will need to enter your previously-chosen myproxy-init passphrase at the myproxy-logon prompt instead of your TeraGrid Portal password.

Now you should be ready to obtain your certificate from the TeraGrid MyProxy server by running the command below. You'll need to do this each day, as the certificate is only valid for 12 hours. This command will also update your environment with additional CA certificates and certificate revocation lists for TeraGrid. (Remove the -T option if you don't want the CA files updated.) Enter your TeraGrid Portal username in place of username, and enter your TeraGrid Portal password when prompted for your MyProxy pass phrase.

$ myproxy-logon -T -l username -s myproxy.teragrid.org
Enter MyProxy pass phrase:
A credential has been received for user username in /tmp/x509up_u25555.
Trust roots have been installed in /home/username/.globus/certificates/.

Now you can login to any TeraGrid systems where you have an account using the gsissh command.

$ gsiscp ~/filename login-hg.ncsa.teragrid.org:~/filename
$ gsiscp login-hg.ncsa.teragrid.org:~/filename ~/filename
$ gsisftp login-hg.ncsa.teragrid.org

Troubleshooting

The myproxy-logon -T command will keep your certificate revocation list files up-to-date for increased security. If you switch to some other method of managing your certificates, these files may become out-of-date, causing authentication problems. If this occurs, you can remove them with the following command.

If the myproxy-logon command fails with a "GSS" error, there may be a problem with your existing credentials. Try again after removing your existing proxy credential with the following command.

Contents

Install MyProxy and GSISSH

Obtain your certificate from MyProxy

Login via GSISSH

Troubleshooting