[Gt-eos] gct and gsissh

Mischa Salle msalle at nikhef.nl
Mon Sep 17 12:10:01 CEST 2018 

On Fri, Sep 14, 2018 at 05:54:40PM +0200, Frank Scheiner wrote:
> On 09/07/2018 02:31 PM, Mischa Salle wrote:
> > For the further future (don't remember whether I mentioned this before),
> > one could probably make a different patch based on the adapted OpenSSH
> > versions as shipped by RedHat and Debian, which have proper GSSAPI
> > support (i.e. not just Kerberos, those patches were pushed by the
> > Moonshot people which also requires a proper GSSAPI, and I think were
> > based on the GSI-OpenSSH patch).
> 
> I assume this is what Mattias spoke about earlier in [1]:
> ```
> [...]
> The gsi patch is these package are smaller than the one in GT upstream,
> because part of the changes needed have already been made by the
> existing Fedora openssh patches. The gsi patch itself doesn't change
> much, but it did need some updates for the openssl 1.1 migration that I
> ported from the changes made to the patch in the GT repo.
> [...]
> ```
> ...,right? I hence assume such a patch is already available from Mattias
> then.
> 
> [1]: https://mailman.egi.eu/pipermail/gt-eos/2017-December/000132.html

I'm not sure but I doubt it. As far as I understood the moonshot-based
patches actually patch openssl such that you would only need a gssapi
module, at least on one of the sides. So partially yes, but probably not
completely. In any case, on the server side you cannot just do that, but
need more patched code.

> 
> > It probably still requires a patched
> > server, but might be able to use a stock client with just some extra
> > modules installed (if I'm not mistaken).
> 
> So users could use plain `ssh` with GSI proxy credentials instead of SSH
> keys with these extra modules? Interesting, where can we get more
> information about these modules? And will this also support delegation?

That would be the idea, but AFAIK those extra GSSAPI modules currently
don't exist. If it's properly worked out you could of course support
delegation. That would be the whole idea...

But Mattias will certainly know best what's there and what isn't....

    Cheers,
    Mischa

> 
> Cheers,
> Frank
> 
> -- 
> Frank Scheiner
> 
> High Performance Computing Center Stuttgart (HLRS)
> Department Project User Management & Accounting
> 
> Email: scheiner at hlrs.de
> Phone: +49 711 685 68039
> 



> _______________________________________________
> Gt-eos mailing list
> Gt-eos at mailman.egi.eu
> http://mailman.egi.eu/mailman/listinfo/gt-eos


-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://mailman.egi.eu/pipermail/discuss/attachments/20180917/0741b358/attachment.p7s>

More information about the discuss mailing list