Diagnosis of GSI-OpenSSH Client Issues
Verifying your GSI configuration
As a first step, please run the following command to verify your GSI configuration:
If you do not see 'Proxy Verify OK' in the output, there is a problem with your GSI configuration.
Running the GSI-OpenSSH SSH client in debugging mode
The following information can be used to diagnose some common problems that you may be experiencing with the GSI-OpenSSH client. Each snippet of the client's output was taken from running it with the '-vvv' flag (which increases the debugging level to 3, the maximum):
No proxy found
Failing to run grid-proxy-init to create a user proxy with which to connect will result in the client notifying you that no local credentials exist. Any attempt to authenticate using GSI will fail in this case.
debug1: Problem with local credentials
debug1: no proxy credentials: run grid-proxy-init or wgpi first
Function:proxy_pw_cb
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
Fix: Verify that your GSI proxy has been properly initialized via 'grid-proxy-info'. If you need to initialize this proxy, use the command 'grid-proxy-init'.
Credentials Expired
The following error (or similar) indicates that your proxy certificate has expired:
You need to acquire a new proxy certificate and run SSH again.
SSH prompts you for a password when you run it
This could mean that you don't have a proxy certificate, try acquiring one and running SSH again. It could also mean that the GSI authentication is failing for some reason and SSH is falling back to a different authentication mechanism. Reasons that it might fail include:
- The host you are connecting to does not have a GSI-enabled SSHD
- You are not authorized to use GSI authentication to the host. Contact the administrator.
Library error from ssh-keysign
If you install ssh-keysign setuid root for hostbased authentication, you may experience library errors, because LD_LIBRARY_PATH is ignored for setuid executables. You can fix it in one of the following ways:
- Add the GSI libraries to the default system library search path (for example, by editing /etc/ld.so.conf and running ldconfig).
- Build ssh-keysign statically with gpt-build -static.
- Use ssh-keysign from a non-GSI build of OpenSSH.