GT 3.9.4 Component Guide to Public Interfaces: GSI-OpenSSH

Semantics and syntax of APIs

GSI-enabled OpenSSH does not provide an API.

Semantics and syntax of the WSDL

GSI-enabled OpenSSH does not have a WSDL interface.

Command-line tools

The gsissh, gsiscp, and gsisftp commands provide the same interfaces as the standard OpenSSH ssh, scp, and sftp commands, respectively, with the added ability to perform X.509 proxy credential authentication and delegation.

gsissh

Tool description

Use the gsissh command to securely login to a remote machine.

Command syntax

gsissh [-l login_name] hostname | user@hostname [command]

gsiscp

Tool description

Use the gsiscp command to securely copy files to or from a remote machine.

Command syntax

gsiscp [-P port] [[user@]host1:]file1 [...] [[user@]host2:]destfile

gsisftp

Tool description

The gsisftp command provides an interactive interface for transferring files to and from remote machines.

Command syntax

gsisftp [[user@]host[:dir[/]]]

Overview of Graphical User Interface [gui name]

GSI-enabled OpenSSH does not provide a GUI.

Semantics and syntax of domain-specific interface

GSI-enabled OpenSSH does not provide any domain-specific interfaces.

Configuration interface

The GSI-enabled OpenSSH software is installed with a default set of configuration files, described below. You may want to modify the ssh_config file before using the clients and the sshd_config file before using the server.

If the GSI-enabled OpenSSH install script found existing SSH key pairs, it will create symbolic links to them rather than generating new key pairs. The SSH key pairs are not required for GSI authentication. However, if you wish to support other SSH authentication methods, make sure the sshd (running as root) can read the key pair files (i.e., beware of NFS mounts with root_squash). If running multiple sshds on a system, we recommend configuring them so they all use the same key pairs (i.e., use symbolic links) to avoid client-side confusion.

$GLOBUS_LOCATION/etc/ssh/moduli
moduli is some crypto parameter for generating keys.
$GLOBUS_LOCATION/etc/ssh/ssh_config
ssh_config contains options that are read by ssh, scp, and sftp at run-time. The installed version is the default provided by OpenSSH, with X11Forwarding enabled. You may need to customize this file for compatibility with your system SSH installation (i.e., compare with /etc/ssh/ssh_config).
$GLOBUS_LOCATION/etc/ssh/ssh_host_key[.pub]
Your system's RSA public-/private-key pair for SSH protocol 1 communications.
$GLOBUS_LOCATION/etc/ssh/ssh_host_dsa[.pub]
Your system's DSA public-/private-key pair for SSH protocol 2 communications.
$GLOBUS_LOCATION/etc/ssh/ssh_host_rsa[.pub]
Your system's RSA public-/private-key pair for SSH protocol 2 communications.
$GLOBUS_LOCATION/etc/ssh/ssh_prng_cmds
ssh_prng_cmds contains paths to a number of files that ssh-keygen may need to use if your system does not have a built-in entropy pool (like /dev/random).
$GLOBUS_LOCATION/etc/ssh/sshd_config
sshd_config contains options that are read by sshd when it starts up. The installed version is the default provided by OpenSSH, with X11Forwarding enabled. You may need to customize this file for compatibility with your system SSH installation (i.e., compare with /etc/ssh/sshd_config). For example, to enable PAM authentication, you will need to set "UsePAM yes" in this file.

Environment variable interface

The GSI-enabled OpenSSHD needs to be able to find certain files and directories in order to properly function.

The items that OpenSSHD needs to be able to locate, their default location and the environment variable to override the default location are:

Host key
Default location: /etc/grid-security/hostkey.pem
Override with X509_USER_KEY environment variable
Host certificate
Default location: /etc/grid-security/hostcert.pem
Override with X509_USER_CERT environment variable
Gridmap file
Default location: /etc/grid-security/grid-mapfile
Override with GRIDMAP environment variable
Certificate directory
Default location: /etc/grid-security/certificates
Override with X509_CERT_DIR environment variable