GSI OpenSSH Installation Guide

Last revised: 2020-09-11

Background Information

The Globus Project has turned support for the Globus Toolkit over to the community.

The community supported Toolkit is now called the Grid Community Toolkit, and is distributed via the EPEL package repositories.

The instructions below will give options for installing GSI OpenSSH entirely from unpatched Grid Community Toolkit packages, or with the HPD and iSSHD patches, by using the Globus Toolkit packages.

There are two options for deploying GSI OpenSSH on your system:

OPTION 1: Latest GSI OpenSSH version from Grid Community Toolkit (GCT)

If you want the latest version of GSI OpenSSH and do not need the HPN or iSSHD patches, use GSI OpenSSH from the Grid Community Forum, which is distributed via the EPEL repo.

OPTION 2: GSI OpenSSH version 7.5p1b-1 with HPN and iSSHD support from XSEDE repo

If want to install GSI OpenSSH from RPM and want to include the HPN performance and iSSHD logging patches, use the GSI OpenSSH from the Globus repo.

Note: XSEDE will not support packages from the Globus Toolkit after January 1, 2021


XSEDE GSI OpenSSH Installation Guide

Supported Platforms

The following configuration can be applied to any RPM based platform supported by the Globus Toolkit v6, which includes the CentOS, RedHat, and SLES12 platforms used by XSEDE resources.

Important Notes

If you are installing the GSI OpenSSH server on a system with the XSEDE Globus client (globus-client-xsede) already installed, you will need to update that package first to the corresponding release to get the latest patches that are compatible with this XSEDE GSI OpenSSH server. I.e.,

# yum clean expire-cache
# yum update globus-client-xsede
or
# zypper refresh
# zypper update globus-client-xsede

Installation

Trusting the XSEDE Repo

The XSEDE Repository provides source and binary RPM packages for XSEDE platforms (RHEL, CentOS, and SLES). Some XSEDE packages (including the XSEDE distribution of GSI OpenSSH) have dependencies on Globus Toolkit packages. Globus Toolkit packages can be found at two different locations: the XSEDE mirror of the GT6 packages that the Globus Project has released, and in the Extra Packages for Enterprise Linux (EPEL), where the community supported "Grid Community Toolkit" (GCT) packages are distributed.

Install the XSEDE Repository

Install the appropriate XSEDE platform repository using these instructions:

To install development repository packages replace "/production/" with "/development/" in the above URL.

Install a Repository for Globus/GCT Toolkit packages

To use Grid Community Toolkit supported packages

Install the appropriate configuration files to enable EPEL for your distribution. The specific instructions for doing so can be found here.

To use (no longer supported) Globus Toolkit packages

Install the appropriate Globus platform repository on your machine from:

Replace "el7" with your platform in the following example:

# yum-config-manager --add-repo https://software.xsede.org/gt6/stable/repo/globus-toolkit-6-stable-el7.repo
# rpm --import https://software.xsede.org/gt6/stable/repo/RPM-GPG-KEY-Globus

Installing GSI OpenSSH RPMs

On RedHat based platforms, the command to install the latest GSI OpenSSH server and client from the repository configured above is:

# yum install gsi-openssh-server-xsede

Note: If you are using the Globus Toolkit (unsupported) packages, and also have the EPEL repository configured, you must use the following command to disambiguate which packages you will get:

# yum install --disablerepo=epel gsi-openssh-server-xsede

On SLES platforms, the proper command to install the latest GSI OpenSSH server from the configured repository is:

# zypper install gsi-openssh-server-xsede

Updating GSI OpenSSH RPMs

If you have already installed the GSI OpenSSH metapackage, but wish to update to the most recent release, the command is exactly the same as to install; yum will prompt you with a list of packages that will be updated as a result, and ask you whether or not you wish to install them. Select "y" at the prompt.

Install Host Certificate

Obtain an IGTF Server Certificate; instructions can be found here, and install in the default locations: /etc/grid-security/hostcert.pem and /etc/grid-security/hostkey.pem

Install Trusted CA certificates

CA certificates trusted by XSEDE are available in an RPM from the XSEDE software repository. The RPM can be installed using yum as below. The certificates will be installed by default into /etc/grid-security/certificates.

# yum install xsede-ca-certificates

Configuring

The following suggested configuration options are provided in /etc/gsissh/sshd_config.xsede which may be copied to /etc/gsissh/sshd_config with any additional site-specific customization:

For more configuration instructions, see http://grid.ncsa.illinois.edu/ssh/. For HPN info see HPN-FAQ, HPN-README. For iSSHD(NERSCmod), see Instrumented SSH. Also consult the change logs for the OpenSSH Portable, HPN, iSSHD and GSI versions at the respective sites for the versions of these incorporated into this release. The specific versions of these components can be obtained by running:

gsissh -V

While the underlying OpenSSH doesn't support TCP Wrappers any more, this GSI-OpenSSH release adds it back.

If you want to support other SSH authentication methods on your GSI OpenSSH server, please see this FAQ.

Operating

Follow operating instructions at http://grid.ncsa.illinois.edu/ssh/.

Testing

Simple tests to check that your GSI OpenSSH server is operating

Login to login.xsede.org.

Then 'gsissh' to your server. You will need to configure your GSI OpenSSH server to accept your XSEDE certificate used when you ssh from login.xsede.org, i.e., make sure you have an entry for your certificate in /etc/grid-security/grid-mapfile.

XSEDE GSI OpenSSH Service Availability Publishing

XSEDE service providers (SPs) must publish information about GSI OpenSSH services they want XSEDE users to be able to discover and use.

All the information that SPs publish about services, including GSI OpenSSH services, is entered by SPs into text files on their resources. Information in these files is in a standard format defined by the IPF package used to publish software and service information into XSEDE central information services.

Steps for creating and updating a GSI OpenSSH service published information file.

  1. Create a file for each unique GSI OpenSSH endpoint with the contents of the example below, by copying a previous similar file. Each unique hostname plus port is a unique GSI OpenSSH endpoint.

    All XSEDE service publishing files live in a single directory. We recommend /etc/ipf/services/ (or $IPF/etc/services if your IPF was a non-RPM install), though you could place them anywhere. This directory must match the SERVICEPATH configured during the IPF installation.

    The file can have any unique name, though we recommend this name format: org.globus.openssh-[-].conf

    Each non-comment line should have the format "keyword = value", where value is double quoted if it contains special characters.

    Example of a GSI OpenSSH published information file:
    ______________________________________________________________________________
    
    #%Service1.0###################################################################
    ##
    ## $SERVICEPATH/org.globus.openssh-6.0.1.conf
    ##
    
    Name = org.globus.openssh
    Version = 7.3p1c
    Endpoint = your_hostname.site.xsede.org:2222
    Capability = login.remoteshell
    Capability = login.remoteshell.gsi
    SupportStatus = testing
    
    ______________________________________________________________________________
    
  2. Update the file with the following base fields:
    • Name must be "org.globus.openssh" which is the GLUE2 Primary protocol name.
    • Version should be your GSI OpenSSH server version.
    • Endpoint must include the public hostname and optional port in the example format.
    Explicitly specifying the default port of 22 is recommended. Alternate or testing servers may run on alternate ports.

    One or more Capability lines containing one of the values in this table: Table of Valid Name, Version, and Capability values for GSI OpenSSH services:
        Name			Version			Capability
        org.globus.openssh 	{5,6}.y.z 		login.remoteshell
    						login.remoteshell.gsi
    						login.remoteshell.xu2fa
    						login.remoteshell.sshpubkey
    						login.remoteshell.xkrb
    
    A SupportStatus of development, testing, or production. If SupportStatus is not supplied your service status in the your resource's RDR status.

  3. Once your IPF software provider has run, confirm that your GSI OpenSSH service is listed at: https://info.xsede.org/wh1/glue2-views-api/v1/services/InterfaceName/org.globus.openssh