NCSA Officially Supports GSI-Enabled Remote Login for Grid Users Across All High-End Systems

NCSA now officially supports a new authentication method for remote login to its high-end systems using X.509 proxy certificates, the de facto standard for authentication in the Grid Security Infrastructure (GSI). This capability allows users to login to computing resources at NCSA and elsewhere "on the grid," including TeraGrid systems, with a single sign-on at the start of their session. The deployment is part of NCSA's ongoing efforts to support new uses of its high-end systems.

OpenSSH, a free version of the SSH protocol, encrypts all traffic to protect against network-level attacks. It is currently available with support for Kerberos, RSA, and a number of other authentication methods from http://www.openssh.org/. An enhanced version of OpenSSH that supports GSI authentication is available from NCSA and is included in the NMI Grids Center Software Suite and the Globus Toolkit. NCSA is a participant in the NMI GRIDS Center project and a member of the Globus Alliance, which develops the Globus Toolkit. However, the GSI-enabled version of OpenSSH did not previously support both GSI and Kerberos authentication, as required by some NCSA users, because of conflicts between the Kerberos and GSI libraries. For this reason, NCSA provided only limited support for GSI SSH authentication on its high-end systems over the years, for specific National Computational Science Alliance and TeraGrid activities.

The new GSI OpenSSH solves this problem through the use of GSSAPI (Generic Security Services Application Programming Interface) mechglue, which allows these mechanisms to co-exist. This is the first production deployment of the GSSAPI mechglue OpenSSH software available from NCSA, which provides a modified version of the widely used OpenSSH remote login program to support both Kerberos and GSI authentication.

Says Doru Marcusiu, assistant director of NCSA's cyberenvironments division, "The capability to integrate GSI with OpenSSH has been around for some time. What the latest technology allows us to do is combine that with Kerberos so that you have a single server that will support both." So, NCSA can now include GSI support in its officially supported SSH servers.

The GSSAPI mechglue OpenSSH software is the work of many different contributors, both at NCSA and beyond. NCSA's GSSAPI patch for OpenSSH was based on a patch created by Simon Wilkinson, a U.K.-based open-source developer. It utilizes a GSSAPI "mechglue" library, contributed by Sun Microsystems, Inc. to the MIT Kerberos package, which allows applications to use the GSSAPI interface to multiple GSSAPI libraries (for example, Kerberos and GSI). Dan Kouril of the Institute of Computer Science (Brno, Czech Republic) and Doug Engert of Argonne National Laboratory performed the initial integration of GSSAPI OpenSSH with the GSSAPI mechglue library.

At NCSA, Von Welch originally added GSI support to OpenSSH. Jim Basney, also at NCSA, is currently responsible for ongoing maintenance and support of NCSA's OpenSSH modifications. Marcusiu and his team tested and deployed this new capability in production.