180 likes | 370 Vues
MEG. Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8 th December 2009. About Me. STFC eScience Centre for 6 years NGS 1, 2 and 3 System Administrator for ngs.rl.ac.uk Software development background. Interactive Login For Grid Users.
E N D
MEG Myproxy Enabled GSISSHD Kevin Haines STFC AHM'09, Tuesday 8th December 2009
About Me • STFC eScience Centre for 6 years • NGS 1, 2 and 3 • System Administrator for ngs.rl.ac.uk • Software development background
Interactive Login For Grid Users • Provide a UI box with SSH key-based access • Extra VO management overhead • Attractive to hackers • SSH key compromise is common • Provide a UI box with GSI-OpenSSH • Certificate based authentication • Limits the clients which can connect • Short-lived delegations – less damage in a compromise
Java GSI Client GSI-OpenSSH GSI OpenSSH Client GSI Enabled Clients
MyProxy Server Cert Wizard Linux/ Cygwin SSH Putty WinSCP MEG FireFTP(FireFox) Nautilus GFTP Web Based SSH Konqueror SCP MEG = Greater Choice Java GSI Client GSI OpenSSH Client
Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG • Overall Process: • Take user name+password • Get certificate from MyProxy • Map certificate to user account
Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)
Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)
Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)
Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG foo/pwd foo/pwd
Inside MEG Config /etc/pam.d/megsisshd auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.sh auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)
Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG foo/pwd foo/pwd
success=0 for myproxyserver in $MYPROXY_SERVER_LIST;do builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1 if [ $? -eq 0 ];then success=1 break fi done if [ $success -ne 1 ];then #fail silently exit 1 fi export X509_USER_CERT=$TMPCERT export X509_USER_KEY=$TMPCERT userid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null` if [ $? -ne 0 ];then # fail silently rm $TMPCERT exit 1 fi # put the certificate into the default Globus location chown $userid $TMPCERT chmod 400 $TMPCERT mv -f $TMPCERT /tmp/x509up_u`id -u $userid` echo $userid Inside MEG Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s)
Config GSI OpenSSH Server(v4.7) pam_ remapuser.so Auth-myproxy-user.sh PAM Stack MyProxy Server(s) Inside MEG ngs0006 ngs0006 ngs0006
Installing MEG • Default Install Instructions for installing MEG on RHEL4, running on port 2223 • wget http://forge.nesc.ac.uk/download.php/465/kgsisshd-0.7-1.src.tgz • tar zxf kgsisshd*.tgz • cd kgsisshd-0.7-1 • (Edit Makefile options) • make install • RHEL 5 needs a different PAM configuration file (will be supplied in v0.8) • v0.8 will support MyProxy ports other than 7512
Summary • 265 lines of C code (pam_remapuser) • 88 lines of shell script • Easily Extensible • MyProxySSO works out of the box • Plans to get SARoNGS better supported • Popular with Scarf users • MEG+SSO: 33 users (258 logins) • GSI: 2 users (32 logins)