XSEDE GSI OpenSSH Installation Guide

Background

The Globus Project has turned support for the Globus Toolkit over to the community. The Grid Community Forum took over Globus Toolkit support and renamed it as the Grid Community Toolkit (GCT), which it now distributes via Extra Packages for Enterprise Linux (EPEL) repositories.

On December 31, 2020, XSEDE will no longer support the Globus Toolkit, and instead support the GCT.

Patches

As of OpenSSH versions 7.4p1-6 for EPEL 7 and 8.0pl1-5 for EPEL 8, GCT includes the HPN patch, but it does not include the iSSHD logging patch. If you need iSSHD, install old unsupported XSEDE binaries, or patch newer GCT source and build your own binaries.

Supported Distributions

These instructions apply to all RPM based GCT distributions, including the CentOS and RedHat used on XSEDE resources.

Co-dependencies

If you are installing the GSI OpenSSH server on a system with the XSEDE Globus Client (globus-client-xsede) already installed, you will first need to update the client to the same release as the server to get the latest compatible patches using the command(s):

    # yum clean expire-cache
    # yum update globus-client-xsede

Trusting the XSEDE Repo

XSEDE RPM repositories provides source and binary RPM meta-packages for XSEDE platforms (RHEL, CentOS, and SLES).

XSEDE GSI OpenSSH packages depend on GCT packages distributed via EPEL.

Install the XSEDE Repository

Install the appropriate XSEDE platform repository using these instructions:

• Production: https://software.xsede.org/production/repo/repoconfig.txt
• Development: https://software.xsede.org/development/repo/repoconfig.txt

Install the GCT Repository

Install the appropriate EPEL platform repository using these instructions:

• https://fedoraproject.org/wiki/EPEL#Quickstart

Installing GSI OpenSSH RPMs

On RedHat based platforms, install from the above configured repositories using the commands(s):

    # yum install gsi-openssh-server-xsede

Updating GSI OpenSSH RPMs

To update an existing installation to the most recent release, use the same install command; yum will prompt you with a list of packages that will be updated, and ask you whether or not you wish to install them. Select "y" at the prompt.

Install Host Certificate

Obtain an IGTF Server Certificate using these instructions:

• https://www.xsede.org/security/certificates

and install them to the default locations:

    /etc/grid-security/hostcert.pem
    /etc/grid-security/hostkey.pem

Install Trusted CA certificates

CA certificates trusted by XSEDE are available in XSEDE RPM repositories. Install them into the default /etc/grid-security/certificates location using the commands(s):

    # yum install xsede-ca-certificates

Configuration Instructions

The following suggested configuration options are provided in /etc/gsissh/sshd_config.xsede which may be copied to /etc/gsissh/sshd_config with any additional site-specific customization:

• Only negotiate SSHv2 connections
  

  Protocol 2

• Disable ipv6 as confusion about ipv6 / ipv4 localhost led to the ability to hijack forwarded X11.
  

  AddressFamily inet

• Disallow remote root logins
  

  PermitRootLogin no

• Run gsisshd on the default SSH port (22) as expected by gsissh clients. Modify port if required. Example:
  

  Port 22

• HPN left enabled by default.
  

  #HPNDisabled no

• HPN multi-threaded MT-AES-CTR is disabled by default due to performance issues and incompatibility with OpenSSL 1.1.
  

  DisableMTAES yes

• HPN tcp receive buffer polling left enabled by default; disable in non autotuning kernels
  

  #TcpRcvBufPoll yes

• HPN buffer size left at default.
  

  #HPNBufferSize 2048

• HPN None cipher for data left disabled. But it's strongly recommended that it be enabled; See HPN-FAQ for more info.
  

  #NoneEnabled no

• Make some password guessing software stop and move on to another host. NOTE: Make sure any Match directives are at the end of the file so they don't influence other directives inadvertently.
  

  Match User root,admin
  PasswordAuthentication no

For more configuration instructions, see: http://grid.ncsa.illinois.edu/ssh/.

For HPN info see HPN-FAQ, HPN-README.

For information about iSSHD (NERSCmod), see Instrumented SSH.

Also consult the change logs for the OpenSSH Portable, HPN, and GSI versions at the respective sites for the versions of these incorporated into this release.

The specific versions of these components can be obtained by running:

gsissh -V

To support other SSH authentication methods see: FAQ.

Operating Instructions

Follow operating instructions at:

• http://grid.ncsa.illinois.edu/ssh/

Testing Instructions

To check that your GSI OpenSSH server is operating normally:

Login to login.xsede.org.

Then 'gsissh' to your server. You will need to configure your GSI OpenSSH server to accept your XSEDE certificate used when you ssh from login.xsede.org, i.e., make sure you have an entry for your certificate in /etc/grid-security/grid-mapfile.

XSEDE Service Publishing

XSEDE service providers (SPs) must publish information about GSI OpenSSH servers so that users can discover and use them. Published information is entered by SPs into text files in the format shown below and published using IPF to XSEDE central information services.

Steps for creating and updating a GSI OpenSSH service published information file:

1. Create a file for each unique GSI OpenSSH endpoint with the contents of the example below, by copying a previous similar file. Each unique hostname plus port is a unique GSI OpenSSH endpoint.
   
   All XSEDE service publishing files live in a single directory. We recommend /etc/ipf/services/ (or $IPF/etc/services if your IPF was a non-RPM install), though you could place them anywhere. This directory must match the SERVICEPATH configured during the IPF installation.
   
   The file can have any unique name, though we recommend this name format: org.globus.openssh-[-].conf
   
   Each non-comment line should have the format "keyword = value", where value is double quoted if it contains special characters.
   
   Example of a GSI OpenSSH published information file:

   ______________________________________________________________________________
   
   #%Service1.0###################################################################
   ##
   ## $SERVICEPATH/org.globus.openssh-6.0.1.conf
   ##
   
   Name = org.globus.openssh
   Version = 7.3p1c
   Endpoint = your_hostname.site.xsede.org:2222
   Capability = login.remoteshell
   Capability = login.remoteshell.gsi
   SupportStatus = testing
   
   ______________________________________________________________________________
   



2. Update the file with the following base fields:
   
   • Name must be "org.globus.openssh" which is the GLUE2 Primary protocol name.
   • Version should be your GSI OpenSSH server version.
   • Endpoint must include the public hostname and optional port in the example format.
   Explicitly specifying the default port of 22 is recommended. Alternate or testing servers may run on alternate ports.
   
   One or more Capability lines containing one of the values in this table: Table of Valid Name, Version, and Capability values for GSI OpenSSH services:
   

       Name                Version       Capability
       org.globus.openssh 	{5,6}.y.z     login.remoteshell
                                         login.remoteshell.gsi
                                         login.remoteshell.xu2fa
                                         login.remoteshell.sshpubkey
                                         login.remoteshell.xkrb
   

   A SupportStatus of development, testing, or production. If SupportStatus is not supplied your service status in the your resource's RDR status.


3. Once your IPF software provider has run, confirm that your GSI OpenSSH service is listed at: https://info.xsede.org/wh1/glue2-views-api/v1/services/InterfaceName/org.globus.openssh