1 / 17

MEG

MEG. Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009. About Me. STFC eScience Centre for 6 years NGS 1, 2 and 3 System Administrator for ngs.rl.ac.uk Software development background. Interactive Login For Grid Users.

trilby
Télécharger la présentation

MEG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8th December 2009

  2. About Me • STFC eScience Centre for 6 years • NGS 1, 2 and 3 • System Administrator for ngs.rl.ac.uk • Software development background

  3. Interactive Login For Grid Users • Provide a UI box with SSH key-based access • Extra VO management overhead • Attractive to hackers • SSH key compromise is common • Provide a UI box with GSI-OpenSSH • Certificate based authentication • Limits the clients which can connect • Short-lived delegations – less damage in a compromise

  4. GSI-enabled Clients

  5. Java GSI Client GSI-OpenSSH GSI OpenSSH Client GSI Enabled Clients

  6. MyProxy Server Cert Wizard Linux/ Cygwin SSH Putty WinSCP MEG FireFTP(FireFox) Nautilus GFTP Web Based SSH Konqueror SCP MEG = Greater Choice Java GSI Client GSI OpenSSH Client

  7. Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG • Overall Process: • Take user name+password • Get certificate from MyProxy • Map certificate to user account

  8. Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)

  9. Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)

  10. Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)

  11. Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG foo/pwd foo/pwd

  12. Inside MEG Config /etc/pam.d/megsisshd auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.sh auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)

  13. Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG foo/pwd foo/pwd

  14. success=0 for myproxyserver in $MYPROXY_SERVER_LIST;do builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1 if [ $? -eq 0 ];then success=1 break fi done if [ $success -ne 1 ];then #fail silently exit 1 fi export X509_USER_CERT=$TMPCERT export X509_USER_KEY=$TMPCERT userid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null` if [ $? -ne 0 ];then # fail silently rm $TMPCERT exit 1 fi # put the certificate into the default Globus location chown $userid $TMPCERT chmod 400 $TMPCERT mv -f $TMPCERT /tmp/x509up_u`id -u $userid` echo $userid Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)

  15. Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG ngs0006 ngs0006 ngs0006

  16. Installing MEG • Default Install Instructions for installing MEG on RHEL4, running on port 2223 • wget http://forge.nesc.ac.uk/download.php/465/kgsisshd-0.7-1.src.tgz • tar zxf kgsisshd*.tgz • cd kgsisshd-0.7-1 • (Edit Makefile options) • make install • RHEL 5 needs a different PAM configuration file (will be supplied in v0.8) • v0.8 will support MyProxy ports other than 7512

  17. Summary • 265 lines of C code (pam_remapuser) • 88 lines of shell script • Easily Extensible • MyProxySSO works out of the box • Plans to get SARoNGS better supported • Popular with Scarf users  • MEG+SSO: 33 users (258 logins) • GSI: 2 users (32 logins)

More Related