XSEDE GSI OpenSSH Installation Guide

Background Information

Supported Platforms

The entirety of the configuration described in this document can be applied to any RPM based platform supported by the Globus Toolkit release 6.0. This includes CentOS, RedHat, and SLES11 platforms used by XSEDE resources.

Important Notes

If you are installing the GSI OpenSSH server on a system with the XSEDE Globus client (globus-client-xsede) installed on it, you will need to update the package first to the r4 release to get the latest patches that will be compatible with the XSEDE GSI OpenSSH server release. I.e.,

   # yum clean expire-cache
   # yum update globus-client-xsede 
or
   # zypper refresh
   # zypper update globus-client-xsede
      

Installing

Trusting the XSEDE Repo

The XSEDE Repository provides source and binary RPM packages for XSEDE platforms (RHEL, CentOS, and SLES). Some XSEDE packages (including the XSEDE distribution of GSI OpenSSH) have dependencies on packages contained in the Globus repository. Thus, to install XSEDE distributed GSI OpenSSH, you must first tell your machine to trust an XSEDE repository, and a Globus repository. This is done by installing the appropriate configuration rpm for Globus from http://toolkit.globus.org/ftppub/gt6/installers/repo/ and the appropriate configuration rpm from XSEDE from http://software.xsede.org/production/repo/repos/. Once you have gotten the appropriate configuration rpms from the links above, install them with:

   # rpm -i XSEDE-Production-config.$OPERATING_SYSTEM.noarch.rpm
   # rpm -i globus-toolkit-repo-latest.noarch.rpm
or
   # zypper install ./XSEDE-Production-config.$OPERATING_SYSTEM.noarch.rpm
   # zypper install ./globus-toolkit-repo-latest.noarch.rpm

You should get a warning that looks like:

warning: XSEDE-Production-config.centos-5-1.noarch.rpm: Header V3 DSA signature: NOKEY, key ID 20423dbb

This is a gpg trust bootstrapping issue because until you install the above RPMs, RPM doesn't know which gpg key(s) to trust. The above RPMs install the PGP keys that are needed, but one has to run these commands for RPM to formally recognize them:

   # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-Globus
   # rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-XSEDE-Production

NOTE: If you need the Development version for testing, you will need to configure your system to use the XSEDE-Development repository by following this procedure https://software.xsede.org/development/repo/repoconfig.txt

Installing GSI OpenSSH RPMs

On RedHat based platforms, the command to install the latest GSI OpenSSH server and client from the repository configured above is:

   # yum install --disablerepo=epel gsi-openssh-server-xsede 

Note: If you do not have the EPEL repository configured on your system, you can leave off the "--disablerepo-epel"

On SLES platforms, the proper command to install the latest GSI OpenSSH server from the configured repository is:

   # zypper install gsi-openssh-server-xsede 

Updating GSI OpenSSH RPMs

If you have already installed the GSI OpenSSH metapackage, but wish to update to the most recent release, the command is exactly the same as to install; yum will prompt you with a list of packages that will be updated as a result, and ask you whether or not you wish to install them. Select "y" at the prompt.

Installing on Solaris

There are no binaries provided for the Globus Toolkit version 6.0 for Solaris. You should install using the source installer as documented here

Install Host Certificate

Obtain a valid host certificate and install in the default locations: /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem

Install Trusted CA certificates

CA certificates trusted by XSEDE are available in an RPM from the XSEDE software repository. The RPM can be installed using yum as below. The certificates will be installed by default into /etc/grid-security/certificates.

   # yum install xsede-ca-certificates

Configuring

The following suggested configuration options are provided in /etc/gsissh/sshd_config.xsede which may be copied to /etc/gsissh/sshd_config with any additional site-specific customization:

For more configuration instructions, see http://grid.ncsa.illinois.edu/ssh/. For HPN info see HPN-FAQ, HPN-README. For iSSHD(NERSCmod), see Instrumented SSH. Also consult the change logs for the OpenSSH Portable, HPN, iSSHD and GSI versions at the respective sites for the versions of these incorporated into this release. The specific versions of these components can be obtained by running:

gsissh -V

While the underlying OpenSSH doesn't support TCP Wrappers any more, this GSI-OpenSSH release adds it back.

If you want to support other SSH authentication methods on your GSI OpenSSH server, please see this FAQ.

Operating

Follow operating instructions at http://grid.ncsa.illinois.edu/ssh/.

Testing

Simple tests to check that your GSI OpenSSH server is operating

Login to login.xsede.org.

Then 'gsissh' to your server. You will need to configure your GSI OpenSSH server to accept your XSEDE certificate used when you ssh from login.xsede.org, i.e., make sure you have an entry for your certificate in /etc/grid-security/grid-mapfile.

Installing to alternate locations

There are times when it may be necessary to run a second instance, alternate install of a different version of the Globus Toolkit Client, or times when it might be inconvenient to install from RPM (for example, shared network installations). To make this easy, we have created binary tarballs, created directly from the binaries contained in the Globus Toolkit v6 RPMs. They are available in the directory tree here:http://software.xsede.org/development/gsi-openssh-server-xsede/gsi-openssh-server-xsede-7.5p1b-1/binary-tgz/ . Simply choose the appropriate tarball (the "el" directory is used for both CentOS and RedHat Enterprise Linux), and untar it in an appropriate location (such as /soft/local/gsi_openssh_server_xsede-7.5p1b-1/ ). To use such a binary installation, you will need to modify the Modules file to set some additional environment variables.

replace /path/to/installation/ with the actual path to your installation.:

$ cat << EOF > gsi-openssh-server-xsede.module
#%Module1.0####################################################################

proc ModulesHelp { } {
global _module_name
puts stderr "The $_module_name modulefile defines the default system paths and"
puts stderr "environment variables needed to use the $_module_name libraries and
 tools."
puts stderr ""
}

set _module_name        [module-info name]
module-whatis "gsi openssh server xsede 7.5 "
prepend-path         GLOBUS_LOCATION /path/to/installation
setenv          GLOBUS_HOSTNAME `/path/to/installation/bin/set-globus-hostname`
setenv          GLOBUS_PATH     /path/to/installation
prepend-path    LD_LIBRARY_PATH        /path/to/installation/lib
prepend-path    LIBPATH                /path/to/installation/lib
prepend-path    SHLIB_PATH             /path/to/installation/lib
prepend-path    MANPATH                /path/to/installation/man
prepend-path    PATH                   /path/to/installation/bin:/path/to/installation/sbin
setenv  RSHCOMMAND             /usr/bin/ssh
setenv  MYPROXY_SERVER         myproxy.teragrid.org
EOF

XSEDE GSI OpenSSH Service Availability Publishing

XSEDE service providers (SPs) must publish information about GSI OpenSSH services they want XSEDE users to be able to discover and use.

All the information that SPs publish about services, including GSI OpenSSH services, is entered by SPs into text files on their resources. Information in these files is in a standard format defined by the IPF package used to publish software and service information into XSEDE central information services.

Steps for creating and updating a GSI OpenSSH service published information file.

  1. Create a file for each unique GSI OpenSSH endpoint with the contents of the example below, by copying a previous similar file, or by copying a TeraGrid kit GSI OpenSSH service publishing file (see “NOTE about TeraGrid compatibility” below). Each unique hostname plus port is a unique GSI OpenSSH endpoint.

    All XSEDE service publishing files live in a single directory. We recommend /etc/ipf/services/ (or $IPF/etc/services if your IPF was a non-RPM install), though you could place them anywhere. This directory must match the SERVICEPATH configured during the IPF installation.

    The file can have any unique name, though we recommend this name format: “org.globus.openssh-[-].conf

    Each non-comment line should have the format “keyword = value”, where value is double quoted if it contains special characters.

    Example of a GSI OpenSSH published information file:
    ______________________________________________________________________________
    
    #%Service1.0###################################################################
    ##
    ## $SERVICEPATH/org.globus.openssh-6.0.1.conf
    ##
    
    Name = org.globus.openssh
    Version = 7.5p1b
    Endpoint = your_hostname.site.xsede.org:2222
    Capability = login.remoteshell
    Capability = login.remoteshell.gsi
    SupportStatus = testing
    
    ______________________________________________________________________________
    
  2. Update the file with the following base fields:
    • Name must be “org.globus.openssh” which is the GLUE2 Primary protocol name.
    • Version should be your GSI OpenSSH server version.
    • Endpoint must include the public hostname and optional port in the example format.
    Explicitly specifying the default port of 22 is recommended. Alternate or testing servers may run on alternate ports.

    One or more Capability lines containing one of the values in this table: Table of Valid Name, Version, and Capability values for GSI OpenSSH services:
        Name			Version			Capability
        org.globus.openssh 	{5,6}.y.z 		login.remoteshell
    						login.remoteshell.gsi
    						login.remoteshell.xu2fa
    						login.remoteshell.sshpubkey
    						login.remoteshell.xkrb
    
    A SupportStatus of development, testing, or production. If SupportStatus is not supplied your service status in the your resource’s RDR status.

  3. Once your IPF software provider has run confirm that your GSI OpenSSH service is listed at: https://info1.dyn.xsede.org:443/wh1/glue2-views-api/v1/services/InterfaceName/org.globus.openssh/
NOTE about TeraGrid compatibility: the standard format defined by the IPF package is (mostly) content and format compatible with the old TeraGrid kit service registration format. SPs with old TeraGrid kit GSI OpenSSH service registration files can migrate them to IPF using these instructions: http://software.xsede.org/development/ipf/ipf-xsede/latest/INSTALL