Applying the GSI Patch to OpenSSH

The GSI patch for OpenSSH is provided for expert users only. If possible, please use the GPT bundle instead by following the instructions for installing the GSI-enabled OpenSSH bundle.

Patching the OpenSSH distribution

The first step to building the GSI-enabled OpenSSH is to get the OpenSSH software package itself. You can download it from here.

You must also have C GSI libraries installed on your system. The C GSI libraries are included in Globus Toolkit C releases, available from http://www.globus.org/toolkit/. Using the latest GSI libraries is strongly encouraged because older versions contain known bugs and security vulnerabilities. Check the Globus Toolkit advisories page for updates. You must install a Globus Toolkit source release. Globus Toolkit binary releases are missing important files needed by GSI-OpenSSH.

To apply the GSI patch to OpenSSH:

  1. Unpack the OpenSSH distribution.
  2. Download the latest GSI-OpenSSH patch from http://grid.ncsa.illinois.edu/ssh/dl/patch/ (named openssh-<version>.patch) and put it in the top directory of the OpenSSH distribution.
  3. Apply the patch by running the following command:
    sh$ patch -Np1 < openssh-<version>.patch
Some vendor versions of patch are not able to handle this patch file and will prompt you for a filename to patch. In this case, you will need to either get a more robust patch like the gnu patch utility or use a different vendor's machine to apply the patch on (you can still build on the original system).

If you are patching a locally modified OpenSSH, which has changes to the configure program (via changes to configure.in), you will probably get a lot of errors from patch modifying configure. You can ignore these, but after applying the patch you will need to rerun autoconf (version 2.52 or later) to rebuild configure.

You will start the build process by running the configure program at the top of the OpenSSH source tree. To enable GSI support, you must specify:

--with-globus=<$GLOBUS_LOCATION>
--with-globus-flavor=<Globus build flavor (gcc32dbg, vendorcc32, etc.)>

In addition to the above options you may wish to specify additional options depending on your local configuration. Please see the file INSTALL that came with OpenSSH or run configure --help for a full list of options.

  • To support both GSI and Kerberos, you must use GSSAPI Mechglue. Otherwise, --with-globus and --with-kerberos5 can not both be specified.
  • The configure script will use the OpenSSL libraries included in your Globus installation. You should not use --with-ssl-dir.

One option in particular that may be of interest is:

--prefix=<path>

This option allows you to override the default installation location for the OpenSSH binaries. By default they will be installed in /usr/local/{bin, sbin, man}. By specifying --prefix you can change the directory path prefix from /usr/local to whatever you choose.

You will also probably want to specify

--with-pam

as PAM is now supported on most systems.

After configure successfully runs, the next step is to run make at the top of the OpenSSH source tree. No arguments are normally necessary.

After make has successfully finished the next step is to install the resulting binaries. This is normally done as root with the binaries installed in /usr/local/.

To install the binaries:

  1. Become root if necessary
  2. Run make install from the top of the SSH source tree.

Please contact gsi-openssh-user@globus.org if you have any questions or problems.

You can now proceed to the instructions on Using the OpenSSH client or Configuring the OpenSSH server.