Installing GSI OpenSSH

About This Document

This document gives instructions on installing and using the GSI OpenSSH server available in the OSG repository and configuring it so that you can use on your cluster.

Engineering Considerations


Host and OS

The GSI OpenSSH rpms will require an user account and group in order for the privilege separation to work.

Users and Groups

The RPM installation will try to create the gsisshd user and group and the /var/empty/gsisshd directory with the correct ownership if they are not present. If you are using a configuration management system or ROCKS, you should make sure that these users and groups are created before installing the RPMs to avoid potential issues. The gsisshd user should have an empty home directory. By default, this is home directory set to /var/empty/gsisshd and belongs to the gsisshd user and group. You may change it if needed to something else as long as the ownerships remain the same.


For more details on overall Firewall configuration, please see our Firewall documentation.

Service Name Protocol Port Number Inbound Outbound Comment
GSISSH tcp/udp 22 or 2222 Y    

You'll find more client specific details also in the Firewall section of this document.

Installation procedure

GSI OpenSSH Installation

Start with installing GSI OpenSSH from the repository
[root@client ~]$ yum install gsi-openssh-server gsi-openssh-clients

In addition, you'll need to install CA certificates in order for GSIOpenSSH to work. You can follow the instructions below in order to install them:

Install the CA Certificates: A quick guide

You must perform one of the following yum commands below to select this host's CA certificates.

Set of CAs CA certs name Installation command (as root)
OSG osg-ca-certs yum install osg-ca-certs Recommended
IGTF igtf-ca-certs yum install igtf-ca-certs
None* empty-ca-certs yum install empty-ca-certs --enablerepo=osg-empty
Any** Any yum install osg-ca-scripts

* The empty-ca-certs RPM indicates you will be manually installing the CA certificates on the node.
** The osg-ca-scripts RPM provides a cron script that automatically downloads CA updates, and requires further configuration.

If you use options 1 or 2, then you will need to run "yum update" in order to get the latest version of CAs when they are released. With option 4 a cron service is provided which will always download the updated CA package for you.

If you use services like Apache's httpd you must restart them after each update of the CA certificates, otherwise they will continue to use the old version of the CA certificates.
For more details and options, please see our CA certificates documentation.

Configuration and Operations

Useful configuration and log files

Configuration Files

Service or Process Configuration File Description
gsisshd /etc/gsissh/sshd_config Configuration file
gsisshd /etc/sysconfig/gsisshd Environment variables for gsisshd
gsisshd /etc/lcmaps.db LCMAPS configuration

Log Files

Service or Process Log File Description
gsisshd /var/log/messages All log messages

Other Files

Service or Process File Description
gsisshd /etc/grid-security/hostcert.pem Host certificate
gsisshd /etc/grid-security/hostcert.pem Key certificate
gsisshd /etc/gsissh/ssh_host_rsa_key RSA Host key
gsisshd /etc/gsissh/ssh_host_dsa_key DSA Host key


In order to get a running instance of the GSI OpenSSH server, you'll need to change the default configuration. However, before you go any further, you'll need to decide whether you want GSI OpenSSH to be your primary ssh service or not (e.g. whether the GSI OpenSSH service will replace your existing SSH service). If you choose not to replace your existing service, you'll need to change the port setting in the GSI OpenSSH configuration to another port (e.g. 2222) so that you can run both SSH services at the same time. Regardless of your choice, you should probably have both services use the same host key. In order to do this, symlink /etc/gsissh/ssh_host_dsa_key and /etc/gsissh/ssh_host_rsa_key to /etc/ssh/ssh_host_dsa_key and /etc/ssh/ssh_host_rsa_key respectively.

Regardless of the authorization method used for the user, any account that will be used with GSI OpenSSH must have a shell assigned to it and not be locked (have !! in the password field of /etc/shadow).

Using a gridmap file for authorization

In order to use , you'll need to create mappings in your /etc/grid-security/grid-mapfile for the DNs that you will allow to login. The mappings should be entered one to a line, with each line consisting of DN followed by the account the DN should map to. Also, you should ensure that the /etc/grid-security/gsi-authz.conf file is empty or that all of the lines in the file are commented out using a # at the beginning of the line.

The mappings will not consider VOMS extensions so the first mapping that matches will be used regardless of the VO role or VO present in the users proxy

An example of the /etc/grid-security/grid-mapfile follows:

"/DC=org/DC=doegrids/OU=People/CN=USER NAME 123456" useraccount

Using LCMAPS and GUMS for authorization

In order to use LCMAPS callouts with GSI OpenSSH, you'll first need to edit /etc/grid-security/gsi-authz.conf to indicate that Globus should do a GSI callout for authorization. The file should contain the following:
globus_mapping lcmaps_callout
so that LCMAPS is used. Next, install the lcmaps rpms:
[root@client ~]$ yum install lcmaps lcas-lcmaps-gt4-interface
Finally, you'll need to modify /etc/lcmaps.db so that the gumsclient entry has the correct endpoint for your gums server.

Starting and Enabling Services

To start the services:
  1. To start GSI OpenSSH you can use the service command, e.g.:
    [root@client ~]$ /sbin/service gsisshd start

You should also enable the appropriate services so that they are automatically started when your system is powered on:

  • To enable OpenSSH by default on the node:
    [root@client ~]$ /sbin/chkconfig gsisshd on

Stopping and Disabling Services

To stop the services:
  1. To stop OpenSSH you can use:
    [root@client ~]$ /sbin/service gsisshd stop

In addition, you can disable services by running the following commands. However, you don't need to do this normally.

  • Optionally, to disable OpenSSH:
    [root@client ~]$ /sbin/chkconfig gsisshd off


You can get information on troubleshooting errors on the NCSA page.

To troubleshoot LCMAPS authorization, you can add the following to /etc/sysconfig/gsisshd and choose a higher debug level:

# level 0: no messages, 1: errors, 2: also warnings, 3: also notices,
#  4: also info, 5: maximum debug
Output goes to /var/log/messages by default.

Test GSI OpenSSH

After starting the gsisshd service you can check if it is running correctly

[user@client ~]$ grid-proxy-init
Your identity: /DC=org/DC=doegrids/OU=People/CN=User Name
Enter GRID pass phrase for this identity:
Creating proxy .................................................................. Done
[user@client ~]$ gsissh localhost -p 2222
Last login: Tue Sep 18 16:08:03 2012 from
[user@client ~]$  

How to get Help?

To get assistance please use this Help Procedure.



-- SuchandraThapa - 13 Sep 2012

Topic revision: r18 - 06 Dec 2016 - 18:12:42 - KyleGross
Hello, TWikiGuest!


TWiki | Report Bugs | Privacy Policy

This site is powered by the TWiki collaboration platformCopyright by the contributing authors. All material on this collaboration platform is the property of the contributing authors..