Installing GSI-Enabled OpenSSH

The latest version of GSI-OpenSSH is included in version 4.0 of the Globus Toolkit (GT) and is most easily installed as part of a Globus Toolkit 4.0 installation. We recommend proceeding to the Globus Toolkit Home Page for Globus Toolkit installation instructions and downloads. The GT 4.0 GSI-OpenSSH System Administrator's Guide includes GSI-OpenSSH installation instructions, including instructions for building and installing only GSI-OpenSSH from the GT software distribution.

The page provides instructions for adding or upgrading GSI-OpenSSH for existing Globus Toolkit installations. A GSI patch for OpenSSH (recommended for experts only) is also available.

Install a Clock Synchronization Service
Download the GSI-OpenSSH Bundle
Select a Set of Build-Time Configure Options (optional)
Build GSI-OpenSSH
Test the GSI-OpenSSH Server (optional)
Install the GSI-OpenSSH Server (optional)

We recommend at least skimming this entire document before beginning the installation and setup procedure. Some steps become evident only afterwards during system configuration.

Step 1: Install a Clock Synchronization Service

GSI authentication is very sensitive to clock skew. You must run a system clock synchronization service of some type on your system to prevent authentication problems caused by incorrect system clocks. We recommend NTP. Please refer to your operating system documentation or the NTP Home Page for installation instructions. Please also ensure your system timezone is set correctly.

Step 2: Download the GSI-OpenSSH Bundle

Download the bundle from the download page. Please note the compatibility statements on the download page.

Step 3: Select a Set of Build-Time Configure Options (optional)

You can optionally pass build-time configure options to the GSI-OpenSSH package by setting the macro GSI_OPENSSH_GPTMACRO during the build phase in Step 4. No options are typically needed for client-only installations, but options are often needed for full server functionality. The options accepted by the GSI-OpenSSH package, which include all standard OpenSSH configure options, are documented here. The following table lists suggested options for different platforms.

Platform	Configuration
Linux	--with-pam --with-md5-passwords --with-tcp-wrappers
Solaris	--with-pam --with-md5-passwords --with-tcp-wrappers
Irix	--with-tcp-wrappers
AIX	--with-tcp-wrappers

If you have an already configured and installed system-wide SSHD and you would like your build of GSI-OpenSSH to behave similarly, investigate the configure options available in GSI-OpenSSH and select those options that would add the functionality that your current SSHD possesses. Be aware that since GSI-OpenSSH is based on OpenSSH, the standard set of functionality is turned on by default.

The GPT package sets the following options regardless of user intervention:

--prefix
--sysconfdir
--with-globus
--with-globus-flavor
--with-ssl-dir

Do not attempt to override these options.

I will refer to the string that represents the options you have chosen as <configure_options>.

Step 4: Build GSI-OpenSSH

Set the GLOBUS_LOCATION environment variable (if you haven't already) to the directory where you installed the Globus Toolkit, and set the GPT_LOCATION environment variable to the location of your GPT installation (typically the same as GLOBUS_LOCATION).

Following the instructions below will install GSI-OpenSSH to $GLOBUS_LOCATION. $GLOBUS_LOCATION must be set appropriately before using any of the tools that come in the GSI-OpenSSH bundle.
Choose a Globus flavor for your GSI-OpenSSH installation that matches your installed Globus Toolkit libraries. The following command will show the flavors you have installed:

sh$ $GPT_LOCATION/sbin/gpt-query globus_gssapi_gsi

For example:

sh$ $GPT_LOCATION/sbin/gpt-query globus_gssapi_gsi
4 packages were found in /usr/local/globus that matched your query:

packages found that matched your query
globus_gssapi_gsi-gcc32dbg-dev ver: 3.13 cmp id: 3.13.0
globus_gssapi_gsi-gcc32dbg-rtl ver: 3.13 cmp id: 3.13.0
globus_gssapi_gsi-gcc32dbgpthr-dev ver: 3.13 cmp id: 3.13.0
globus_gssapi_gsi-gcc32dbgpthr-rtl ver: 3.13 cmp id: 3.13.0

Find a flavor for which both "dev" and "rtl" packages are available. In this example, the gcc32dbg and gcc32dbgpthr flavors are available. We recommend using a flavor not containing "thr" so in this example flavor gcc32dbg should be used. You only need to build one flavor of the gsi_openssh bundle.
Build the bundle using GPT's build command using your chosen flavor name and configure options.

sh$ $GPT_LOCATION/sbin/gpt-build -verbose <source_bundle_name>.tar.gz <flavor_name> GSI_OPENSSH_GPTMACRO="<configure_options>"

Setting GSI_OPENSSH_GPTMACRO is optional. It is typically not required for client-only installations, but may be required for server installations to enable password authentication or local OpenSSH options at your site. See step 3 above for more details. If you do set GSI_OPENSSH_GPTMACRO, be sure to put the <configure_options> inside quotation marks.
(optional) To install the standard SSH commands (ssh, scp, sftp), in addition to gsissh, gsiscp, and gsisftp, build the compatibility package.

sh$ $GPT_LOCATION/sbin/gpt-build -verbose gsi_openssh_compat-<version>-src.tar.gz

The compatibility package is required for server installations that do not have /usr/bin/scp installed because SSH requires an scp installation on the server-side.
Run any post-install setup scripts that require execution.

sh# $GPT_LOCATION/sbin/gpt-postinstall
Use GPT's verify command to verify that all of the files were installed properly.

sh# $GPT_LOCATION/sbin/gpt-verify

Step 5: Test the GSI-OpenSSH Server (optional)

Edit the file $GLOBUS_LOCATION/sbin/SXXsshd so that the GSI-Enabled OpenSSH server starts up on an alternate port.
As a regular user, you will typically have to select a port above 1024 on most systems. Add the flags '-p <port number>' within the SSHD_ARGS variable initialization section.
Run the command
sh# $GLOBUS_LOCATION/sbin/SXXsshd start
and verify that the server is running by checking that it both shows up in a process listing and creates a file named $GLOBUS_LOCATION/var/sshd.pid.
From a remote machine attempt to connect to the local server on the modified test port using the standard SSH authentication methods plus authenticating via your GSI credentials.
This may require you to authorize these users via an appropriate entry in the grid-mapfile as described in the Globus grid-mapfile manual.
Should your connection attempts prove that further configuration and testing is required to successfully complete installation of the SSH server, consult the GSI-Enabled OpenSSH Administrator's Guide for troubleshooting information.
Stop the SSH server by running the command
sh# $GLOBUS_LOCATION/sbin/SXXsshd stop
and reverse any changes you made that altered the port on which the server resided upon startup. After this step, running SXXsshd start should start the server on the default port (22).

Step 6: Install the GSI-OpenSSH Server (optional)

To install the GSI-Enabled OpenSSH Server on most systems, you must be a privileged user, such as root.

sh$ /bin/su - root

If your system functions like this and you attempt to run these commands as a user other than root, these commands should fail.
(optional) Start a copy of your system's currently running SSH server on an alternate port by running, eg.
sh# /usr/sbin/sshd -p 2000 &

You may then choose to log in to this server and continue the rest of these steps from that shell. We recommend doing this since some sshd shutdown scripts do particularly nasty things like killing all of the running SSH servers on a system, not just the parent server that may be listening on port 22.

Roughly translated, this step is about guaranteeing that an alternate method of access is available should the main SSH server be shutdown and your connection via that server be terminated.
Locate your server's startup/shutdown script directory. On some systems this directory may be located at /etc/rc.d/init.d, but since this location is not constant across operating systems, for the purposes of this document we will refer to this directory as INITDIR. Consult your operating system's documentation for your system's location.
Run the following command
sh# mv $INITDIR/sshd $INITDIR/sshd.bak
Either copy or link the new sshd script to your system's startup/shutdown script directory.
sh# cp $GLOBUS_LOCATION/sbin/SXXsshd $INITDIR/sshd
Shutdown the currently running main SSH server.
sh# $INITDIR/sshd.bak stop
Provided you still have a connection to the machine, start the new SSH server.
sh# $INITDIR/sshd start
Test the new server by connecting to the standard SSH port (22) and authenticating via multiple methods. Especially test that GSI authentication works correctly.
If you are performing a new install, or if the old server was not configured to be started at run-time and shutdown automatically at system halt or reboot, either use a system utility such as RedHat's chkconfig to configure the system for the correct run-levels, or manually link up the correct run-levels.
sh# /sbin/chkconfig sshd reset

The recommended run-levels are listed in a set of comments within the SXXsshd startup script. For example, on standard Unix systems we recommend running the GSI-Enabled OpenSSH server in run-levels two, three, four, and five.
Finally, if, as a precautionary measure, you started a SSH server on an alternate port in order to complete the install process, you can now safely stop all instances of that server.

Your system should be up and running with the new version of GSI-Enabled OpenSSH! At this point, the information contained in the GSI-Enabled OpenSSH User's Guide and the GSI-Enabled OpenSSH Administrator's Guide will be of interest to you.