Installing GSI OpenSSH
About This Document
This document gives instructions on installing and using the GSI OpenSSH server available in the OSG repository and configuring it so that you can use on your cluster.
The GSI OpenSSH rpms will require an user account and group in order for the privilege separation to work.
The RPM installation will try to create the
user and group and the
directory with the correct ownership if they are not present. If you are using a configuration management system or ROCKS, you should make sure that these users and groups are created before installing the RPMs to avoid potential issues. The gsisshd user should have an empty home directory. By default, this is home directory set to
and belongs to the
user and group. You may change it if needed to something else as long as the ownerships remain the same.
For more details on overall Firewall configuration, please see our Firewall documentation
You'll find more client specific details also in the Firewall section
of this document.
The OSG RPMs currently support Red Hat Enterprise Linux 5, 6, 7, and variants (see details...
OSG RPMs are distributed via the OSG yum repositories. Some packages depend on packages distributed via the EPEL
repositories. So both repositories must be enabled.
- Install the EPEL repository, if not already present. Note: This enables EPEL by default. Choose the right version to match your OS version.
# EPEL 5 (For RHEL 5, CentOS 5, and SL 5)
[root@client ~]$ curl -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-5.noarch.rpm
[root@client ~]$ rpm -Uvh epel-release-latest-5.noarch.rpm
# EPEL 6 (For RHEL 6, CentOS 6, and SL 6)
[root@client ~]$ rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
# EPEL 7 (For RHEL 7, CentOS 7, and SL 7)
[root@client ~]$ rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm WARNING: if you have your own mirror or configuration of the EPEL repository, you MUST verify that the OSG repository has a better yum priority than EPEL (details). Otherwise, you will have strange dependency resolution (depsolving) issues.
Install the Yum priorities package
For packages that exist in both OSG and EPEL repositories, it is important to prefer the OSG ones or else OSG software installs may fail. Installing the Yum priorities package enables the repository priority system to work.
Choose the correct package name based on your operating systemís major version:
- For EL 5 systems, use
- For EL 6 and EL 7 systems, use
Install the Yum priorities package:
[root@client ~]$ yum install PACKAGE
PACKAGE with the package name from the previous step.
/etc/yum.conf has the following line in the
[main] section (particularly when using ROCKS), thereby enabling Yum plugins, including the priorities one:
plugins=1 NOTE: If you do not have a required key you can force the installation using
yum install --nogpgcheck yum-priorities.
Install OSG Repositories
If you are upgrading from OSG 3.1 (or 3.2) to OSG 3.2 (or 3.3), remove the old OSG repository definition files and clean the Yum cache:
[root@client ~]$ yum clean all
[root@client ~]$ rpm -e osg-release
This step ensures that local changes to
*.repo files will not block the installation of the new OSG repositories. After this step,
*.repo files that have been changed will exist in
/etc/yum.repos.d/ with the
*.rpmsave extension. After installing the new OSG repositories (the next step) you may want to apply any changes made in the
*.rpmsave files to the new
Install the OSG repositories using one of the following methods depending on your EL version:
For EL versions greater than EL5, install the files directly from
[root@client ~]$ rpm -Uvh URL
URL is one of the following:
For EL5, download the repo file and install it using the following:
[root@client ~]$ curl -O https://repo.grid.iu.edu/osg/3.2/osg-3.2-el5-release-latest.rpm
[root@client ~]$ rpm -Uvh osg-3.2-el5-release-latest.rpm
For more details, please see our yum repository documentation
Start with installing GSI OpenSSH from the repository
[root@client ~]$ yum install gsi-openssh-server gsi-openssh-clients
In addition, you'll need to install CA certificates in order for GSIOpenSSH to work. You can follow the instructions below in order to install them:
Install the CA Certificates: A quick guide
You must perform one of the following
commands below to select this host's CA certificates.
RPM indicates you will be manually installing the CA certificates on the node.
RPM provides a cron script that automatically downloads CA updates, and requires further configuration.
- If you use options 1 or 2, then you will need to run "yum update" in order to get the latest version of CAs when they are released. With option 4 a cron service is provided which will always download the updated CA package for you.
- If you use services like Apache's httpd you must restart them after each update of the CA certificates, otherwise they will continue to use the old version of the CA certificates.
For more details and options, please see our CA certificates documentation
Configuration and Operations
| Service or Process
| Host certificate
| Key certificate
| RSA Host key
| DSA Host key
In order to get a running instance of the GSI OpenSSH server, you'll need to change the default configuration. However, before you go any further, you'll need to decide whether you want GSI OpenSSH to be your primary ssh service or not (e.g. whether the GSI OpenSSH service will replace your existing SSH service). If you choose not to replace your existing service, you'll need to change the port setting in the GSI OpenSSH configuration to another port (e.g. 2222) so that you can run both SSH services at the same time. Regardless of your choice, you should probably have both services use the same host key. In order to do this, symlink
- Regardless of the authorization method used for the user, any account that will be used with GSI OpenSSH must have a shell assigned to it and not be locked (have !! in the password field of
In order to use , you'll need to create mappings in your
for the DNs that you will allow to login. The mappings should be entered one to a line, with each line consisting of DN followed by the account the DN should map to. Also, you should ensure that the
file is empty or that all of the lines in the file are commented out using a
at the beginning of the line.
- The mappings will not consider VOMS extensions so the first mapping that matches will be used regardless of the VO role or VO present in the users proxy
An example of the
"/DC=org/DC=doegrids/OU=People/CN=USER NAME 123456" useraccount
In order to use LCMAPS callouts with GSI OpenSSH, you'll first need to edit
to indicate that Globus should do a GSI callout for authorization. The file should contain the following:
globus_mapping liblcas_lcmaps_gt4_mapping.so lcmaps_callout
so that LCMAPS is used. Next, install the lcmaps rpms:
[root@client ~]$ yum install lcmaps lcas-lcmaps-gt4-interface
Finally, you'll need to modify
so that the
entry has the correct endpoint for your gums server.
To start the services:
- To start GSI OpenSSH you can use the service command, e.g.:
[root@client ~]$ /sbin/service gsisshd start
You should also enable the appropriate services so that they are automatically started when your system is powered on:
To stop the services:
- To stop OpenSSH you can use:
[root@client ~]$ /sbin/service gsisshd stop
In addition, you can disable services by running the following commands. However, you don't need to do this normally.
You can get information on troubleshooting errors on the NCSA page
To troubleshoot LCMAPS authorization, you can add the following to
and choose a higher debug level:
# level 0: no messages, 1: errors, 2: also warnings, 3: also notices,
# 4: also info, 5: maximum debug
Output goes to
After starting the
service you can check if it is running correctly
[user@client ~]$ grid-proxy-init
Your identity: /DC=org/DC=doegrids/OU=People/CN=User Name
Enter GRID pass phrase for this identity:
Creating proxy .................................................................. Done
[user@client ~]$ gsissh localhost -p 2222
Last login: Tue Sep 18 16:08:03 2012 from itb4.uchicago.edu
How to get Help?
To get assistance please use this Help Procedure
- 13 Sep 2012