Diagnosis of GSI-OpenSSH Client Issues

No proxy found
Library error from ssh-keysign

Verifying your GSI configuration

As a first step, please run the following command to verify your GSI configuration:

sh$ grid-proxy-init -debug -verify

If you do not see 'Proxy Verify OK' in the output, there is a problem with your GSI configuration.

Running the GSI-OpenSSH SSH client in debugging mode

The following information can be used to diagnose some common problems that you may be experiencing with the GSI-OpenSSH client. Each snippet of the client's output was taken from running it with the '-vvv' flag (which increases the debugging level to 3, the maximum):

sh$ $GLOBUS_LOCATION/bin/gsissh -vvv <remote host>

No proxy found

Failing to run grid-proxy-init to create a user proxy with which to connect will result in the client notifying you that no local credentials exist. Any attempt to authenticate using GSI will fail in this case.

debug1: Local version string SSH-2.0-OpenSSH_3.2.3p1
debug1: Problem with local credentials
debug1: no proxy credentials: run grid-proxy-init or wgpi first
Function:proxy_pw_cb
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received

Fix: Verify that your GSI proxy has been properly initialized via 'grid-proxy-info'. If you need to initialize this proxy, use the command 'grid-proxy-init'.

Credentials Expired

The following error (or similar) indicates that your proxy certificate has expired:

GSS-API error Failuring acquiring GSSAPI credentials: GSS_S_CREDENTIALS_EXPIRED

You need to acquire a new proxy certificate and run SSH again.

SSH prompts you for a password when you run it

This could mean that you don't have a proxy certificate, try acquiring one and running SSH again. It could also mean that the GSI authentication is failing for some reason and SSH is falling back to a different authentication mechanism. Reasons that it might fail include:

The host you are connecting to does not have a GSI-enabled SSHD
You are not authorized to use GSI authentication to the host. Contact the administrator.

Library error from ssh-keysign

If you install ssh-keysign setuid root for hostbased authentication, you may experience library errors, because LD_LIBRARY_PATH is ignored for setuid executables. You can fix it in one of the following ways:

Add the GSI libraries to the default system library search path (for example, by editing /etc/ld.so.conf and running ldconfig).
Build ssh-keysign statically with gpt-build -static.
Use ssh-keysign from a non-GSI build of OpenSSH.