meg myproxy enabled gsisshd kevin haines stfc ahm'09, tuesday 8 th december 2009
TRANSCRIPT
MEG
Myproxy Enabled GSISSHD
Kevin Haines
STFC
AHM'09, Tuesday 8th December 2009
About Me
• STFC eScience Centre for 6 years
• NGS 1, 2 and 3
• System Administrator for ngs.rl.ac.uk
• Software development background
Interactive Login For Grid Users
• Provide a UI box with SSH key-based access– Extra VO management overhead– Attractive to hackers– SSH key compromise is common
• Provide a UI box with GSI-OpenSSH– Certificate based authentication– Limits the clients which can connect– Short-lived delegations – less damage in a
compromise
GSI-enabled Clients
GSI Enabled Clients
GSI-OpenSSH
Java GSI Client
GSI OpenSSH
Client
MEG = Greater Choice
MEG
Java GSI Client
Java GSI Client
MyProxy Server
GSI OpenSSH
Client
GSI OpenSSH
Client
Putty
WinSCP
NautilusFireFTP
(FireFox)
GFTP
Linux/Cygwin
SSH
Web Based SSH
Konqueror SCP
Cert Wizard
Inside MEG
MyProxy Server(s)
PAM Stack
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
Auth-myproxy-
user.sh
Config
Overall Process:-Take user name+password- Get certificate from MyProxy-Map certificate to user account
Inside MEG
MyProxy Server(s)MyProxy Server(s)PAM StackPAM Stack
GSI OpenSSH
Server(v4.7)
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
pam_ remapuser.so
Auth-myproxy-
user.sh
Auth-myproxy-
user.sh
ConfigConfig
Inside MEG
MyProxy Server(s)MyProxy Server(s)PAM StackPAM Stack
GSI OpenSSH
Server(v4.7)
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
pam_ remapuser.so
Auth-myproxy-
user.sh
Auth-myproxy-
user.sh
ConfigConfig
Inside MEG
MyProxy Server(s)MyProxy Server(s)PAM StackPAM Stack
GSI OpenSSH
Server(v4.7)
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
pam_ remapuser.so
Auth-myproxy-
user.sh
Auth-myproxy-
user.sh
ConfigConfig
Inside MEG
MyProxy Server(s)
PAM Stack
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
Auth-myproxy-
user.sh
Config
foo/pwd
foo/pwd
Inside MEG
MyProxy Server(s)MyProxy Server(s)PAM StackPAM Stack
GSI OpenSSH
Server(v4.7)
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
pam_ remapuser.so
Auth-myproxy-
user.sh
Auth-myproxy-
user.sh
ConfigConfig
/etc/pam.d/megsisshd
auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.shauth required pam_nologin.soaccount required pam_stack.so service=system-authpassword required pam_stack.so service=system-authsession required pam_stack.so service=system-authsession required pam_loginuid.so
/etc/pam.d/megsisshd
auth required pam_remapuser.so /usr/sbin/auth_myproxy_user.shauth required pam_nologin.soaccount required pam_stack.so service=system-authpassword required pam_stack.so service=system-authsession required pam_stack.so service=system-authsession required pam_loginuid.so
Inside MEG
MyProxy Server(s)
PAM Stack
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
Auth-myproxy-
user.sh
Config
foo/pwd
foo/pwd
Inside MEG
MyProxy Server(s)MyProxy Server(s)PAM StackPAM Stack
GSI OpenSSH
Server(v4.7)
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
pam_ remapuser.so
Auth-myproxy-
user.sh
Auth-myproxy-
user.sh
ConfigConfig
success=0for myproxyserver in $MYPROXY_SERVER_LIST;do
builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1
if [ $? -eq 0 ];then
success=1 break
fi
done
if [ $success -ne 1 ];then
#fail silently exit 1
fi
export X509_USER_CERT=$TMPCERTexport X509_USER_KEY=$TMPCERTuserid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null`
if [ $? -ne 0 ];then
# fail silently rm $TMPCERT exit 1
fi
# put the certificate into the default Globus locationchown $userid $TMPCERTchmod 400 $TMPCERTmv -f $TMPCERT /tmp/x509up_u`id -u $userid`
echo $userid
success=0for myproxyserver in $MYPROXY_SERVER_LIST;do
builtin echo "$PASSWD" | $MYPROXY_GET -s $myproxyserver -l "$MYPROXY_USER" -o $TMPCERT -S >/dev/null 2>&1
if [ $? -eq 0 ];then
success=1 break
fi
done
if [ $success -ne 1 ];then
#fail silently exit 1
fi
export X509_USER_CERT=$TMPCERTexport X509_USER_KEY=$TMPCERTuserid=`$GSISSH -p $AUTHPORT $AUTHHOST id -un 2>/dev/null`
if [ $? -ne 0 ];then
# fail silently rm $TMPCERT exit 1
fi
# put the certificate into the default Globus locationchown $userid $TMPCERTchmod 400 $TMPCERTmv -f $TMPCERT /tmp/x509up_u`id -u $userid`
echo $userid
Inside MEG
MyProxy Server(s)
PAM Stack
GSI OpenSSH
Server(v4.7)
pam_ remapuser.so
Auth-myproxy-
user.sh
Config
ngs0006
ngs0006
ngs0006
Installing MEGDefault Install Instructions for installing MEG on RHEL4, running on port 2223
wget http://forge.nesc.ac.uk/download.php/465/kgsisshd-0.7-1.src.tgz
tar zxf kgsisshd*.tgz
cd kgsisshd-0.7-1
(Edit Makefile options)
make install
• RHEL 5 needs a different PAM configuration file (will be supplied in v0.8)• v0.8 will support MyProxy ports other than 7512
Summary• 265 lines of C code (pam_remapuser)
• 88 lines of shell script
• Easily Extensible– MyProxySSO works out of the box– Plans to get SARoNGS better supported
• Popular with Scarf users – MEG+SSO: 33 users (258 logins)– GSI: 2 users (32 logins)