Airavata's gsissh tool and Kerberos

[Marlon Pierce <ma...@iu.edu>]

Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
in addition to short term x.509 grid credentials? Or would JSCH do this
out of the box?


Thanks--


Marlon

Re: Airavata's gsissh tool and Kerberos

[Lahiru Gunathilake <gl...@gmail.com>]

Once I finish the Orchestrator work I can look in to this, if this is not
urgent.

Regards
Lahiru


On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <sm...@apache.org> wrote:

> I did not verify any of this, but the instructions say JSCH supports
> kerberos. From what I could tell the jgss tutorials help -
>
> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html
>
> Suresh
>
>
> On Feb 5, 2014, at 10:53 AM, Suresh Marru <sm...@apache.org> wrote:
>
> > I am willing to bet that jcraft supports Kerberos out of the box without
> any code changes but with only subtle configurations like what Amila
> referred below.
> >
> > + 1 on the importance of Kerberos and making it a first class supported
> protocol for credential store.
> >
> > Suresh
> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <ma...@iu.edu> wrote:
> >
> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
> >> case.  I'd guess a fair number of computing centers use Kerberos and
> >> kerberized SSH for access.  This would allow us to combine the
> >> advantages (?) of SSH (no grid infrastructure needs to be installed)
> >> with GSI short term credentials (no managing of public keys).
> >>
> >>
> >> Marlon
> >>
> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
> >>> JSCH provides user authentication mechanism gssapi-with-mic. We should
> be
> >>> able to use this interface to implement Kerberos based authentication.
> In
> >>> the JCraft library in airvata,  we have modified default GSSAPI
> >>> implementation to incorporate MyProxy (X.509) authentication. We may
> need
> >>> to do some code level changes to get both working at the same code.
> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
> >>> what sort of changes we need to do to get Kerberos working with JSCH.
> It
> >>> could be only adding Kerbeors configuration files and JAAS
> configuration
> >>> files, or it could be some code changes we need to do in GSSAPI level.
> We
> >>> may need to further investigate this.
> >>>
> >>> In summary it should be possible to implement Kerberos authentication
> with
> >>> JSCH but not sure how much work. We need to investigate some time and
> >>> figure that out.
> >>>
> >>> Thanks
> >>> Amila
> >>>
> >>>
> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <
> raminderjsingh@gmail.com>wrote:
> >>>
> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
> >>>> library to provide the support. As of my experience, /tools/gsissh
> should
> >>>> work with Kerberos authentication. I am not sure about addition to
> x509
> >>>> certificate. X509 certificates are only used with myproxy server.
> >>>>
> >>>> Thanks
> >>>> Raminder
> >>>>
> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
> >>>>
> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos
> tickets
> >>>>> in addition to short term x.509 grid credentials? Or would JSCH do
> this
> >>>>> out of the box?
> >>>>>
> >>>>>
> >>>>> Thanks--
> >>>>>
> >>>>>
> >>>>> Marlon
> >>>>>
> >>>>
> >>
> >
>
>


-- 
System Analyst Programmer
PTI Lab
Indiana University

Re: Airavata's gsissh tool and Kerberos

[Amila Jayasekara <th...@gmail.com>]

But we should verify. I am bit concern because we modify GSS Context to
handle MyProxy credentials and also preferred authentication mechanisms
also. So need to verify those changes does not affect default Kerberos
usage.

Thanks
Amila


On Wed, Feb 5, 2014 at 10:27 PM, Sachith Withana <sw...@gmail.com>wrote:

> I did some searching on the subject.
>
> As Suresh said, It seems JSCH does support Kerberos out of the box.
>
> [1]
> http://epaul.github.io/jsch-documentation/javadoc/com/jcraft/jsch/GSSContext.html
> [2]
> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01075.html
>
>
>
>
>
> On Wed, Feb 5, 2014 at 5:19 PM, Amila Jayasekara <th...@gmail.com>wrote:
>
>> Yes, it seems. But better to verify.
>> +1 for Kerberos authentication support in GSISSH.
>>
>> Thanks
>> Amila
>>
>>
>> On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <sm...@apache.org> wrote:
>>
>>> I did not verify any of this, but the instructions say JSCH supports
>>> kerberos. From what I could tell the jgss tutorials help -
>>>
>>>
>>> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
>>> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
>>>
>>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
>>>
>>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html
>>>
>>> Suresh
>>>
>>>
>>> On Feb 5, 2014, at 10:53 AM, Suresh Marru <sm...@apache.org> wrote:
>>>
>>> > I am willing to bet that jcraft supports Kerberos out of the box
>>> without any code changes but with only subtle configurations like what
>>> Amila referred below.
>>> >
>>> > + 1 on the importance of Kerberos and making it a first class
>>> supported protocol for credential store.
>>> >
>>> > Suresh
>>> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <ma...@iu.edu> wrote:
>>> >
>>> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway
>>> use
>>> >> case.  I'd guess a fair number of computing centers use Kerberos and
>>> >> kerberized SSH for access.  This would allow us to combine the
>>> >> advantages (?) of SSH (no grid infrastructure needs to be installed)
>>> >> with GSI short term credentials (no managing of public keys).
>>> >>
>>> >>
>>> >> Marlon
>>> >>
>>> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>>> >>> JSCH provides user authentication mechanism gssapi-with-mic. We
>>> should be
>>> >>> able to use this interface to implement Kerberos based
>>> authentication. In
>>> >>> the JCraft library in airvata,  we have modified default GSSAPI
>>> >>> implementation to incorporate MyProxy (X.509) authentication. We may
>>> need
>>> >>> to do some code level changes to get both working at the same code.
>>> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not
>>> sure
>>> >>> what sort of changes we need to do to get Kerberos working with
>>> JSCH. It
>>> >>> could be only adding Kerbeors configuration files and JAAS
>>> configuration
>>> >>> files, or it could be some code changes we need to do in GSSAPI
>>> level. We
>>> >>> may need to further investigate this.
>>> >>>
>>> >>> In summary it should be possible to implement Kerberos
>>> authentication with
>>> >>> JSCH but not sure how much work. We need to investigate some time and
>>> >>> figure that out.
>>> >>>
>>> >>> Thanks
>>> >>> Amila
>>> >>>
>>> >>>
>>> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <
>>> raminderjsingh@gmail.com>wrote:
>>> >>>
>>> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>>> >>>> library to provide the support. As of my experience, /tools/gsissh
>>> should
>>> >>>> work with Kerberos authentication. I am not sure about addition to
>>> x509
>>> >>>> certificate. X509 certificates are only used with myproxy server.
>>> >>>>
>>> >>>> Thanks
>>> >>>> Raminder
>>> >>>>
>>> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
>>> >>>>
>>> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos
>>> tickets
>>> >>>>> in addition to short term x.509 grid credentials? Or would JSCH do
>>> this
>>> >>>>> out of the box?
>>> >>>>>
>>> >>>>>
>>> >>>>> Thanks--
>>> >>>>>
>>> >>>>>
>>> >>>>> Marlon
>>> >>>>>
>>> >>>>
>>> >>
>>> >
>>>
>>>
>>
>
>
> --
> Thanks,
> Sachith Withana
>
>

Re: Airavata's gsissh tool and Kerberos

[Sachith Withana <sw...@gmail.com>]

I did some searching on the subject.

As Suresh said, It seems JSCH does support Kerberos out of the box.

[1]
http://epaul.github.io/jsch-documentation/javadoc/com/jcraft/jsch/GSSContext.html
[2]
https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01075.html





On Wed, Feb 5, 2014 at 5:19 PM, Amila Jayasekara <th...@gmail.com>wrote:

> Yes, it seems. But better to verify.
> +1 for Kerberos authentication support in GSISSH.
>
> Thanks
> Amila
>
>
> On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <sm...@apache.org> wrote:
>
>> I did not verify any of this, but the instructions say JSCH supports
>> kerberos. From what I could tell the jgss tutorials help -
>>
>>
>> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
>> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
>>
>> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html
>>
>> Suresh
>>
>>
>> On Feb 5, 2014, at 10:53 AM, Suresh Marru <sm...@apache.org> wrote:
>>
>> > I am willing to bet that jcraft supports Kerberos out of the box
>> without any code changes but with only subtle configurations like what
>> Amila referred below.
>> >
>> > + 1 on the importance of Kerberos and making it a first class supported
>> protocol for credential store.
>> >
>> > Suresh
>> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <ma...@iu.edu> wrote:
>> >
>> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
>> >> case.  I'd guess a fair number of computing centers use Kerberos and
>> >> kerberized SSH for access.  This would allow us to combine the
>> >> advantages (?) of SSH (no grid infrastructure needs to be installed)
>> >> with GSI short term credentials (no managing of public keys).
>> >>
>> >>
>> >> Marlon
>> >>
>> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>> >>> JSCH provides user authentication mechanism gssapi-with-mic. We
>> should be
>> >>> able to use this interface to implement Kerberos based
>> authentication. In
>> >>> the JCraft library in airvata,  we have modified default GSSAPI
>> >>> implementation to incorporate MyProxy (X.509) authentication. We may
>> need
>> >>> to do some code level changes to get both working at the same code.
>> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not
>> sure
>> >>> what sort of changes we need to do to get Kerberos working with JSCH.
>> It
>> >>> could be only adding Kerbeors configuration files and JAAS
>> configuration
>> >>> files, or it could be some code changes we need to do in GSSAPI
>> level. We
>> >>> may need to further investigate this.
>> >>>
>> >>> In summary it should be possible to implement Kerberos authentication
>> with
>> >>> JSCH but not sure how much work. We need to investigate some time and
>> >>> figure that out.
>> >>>
>> >>> Thanks
>> >>> Amila
>> >>>
>> >>>
>> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <
>> raminderjsingh@gmail.com>wrote:
>> >>>
>> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>> >>>> library to provide the support. As of my experience, /tools/gsissh
>> should
>> >>>> work with Kerberos authentication. I am not sure about addition to
>> x509
>> >>>> certificate. X509 certificates are only used with myproxy server.
>> >>>>
>> >>>> Thanks
>> >>>> Raminder
>> >>>>
>> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
>> >>>>
>> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos
>> tickets
>> >>>>> in addition to short term x.509 grid credentials? Or would JSCH do
>> this
>> >>>>> out of the box?
>> >>>>>
>> >>>>>
>> >>>>> Thanks--
>> >>>>>
>> >>>>>
>> >>>>> Marlon
>> >>>>>
>> >>>>
>> >>
>> >
>>
>>
>


-- 
Thanks,
Sachith Withana

Re: Airavata's gsissh tool and Kerberos

[Amila Jayasekara <th...@gmail.com>]

Yes, it seems. But better to verify.
+1 for Kerberos authentication support in GSISSH.

Thanks
Amila


On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <sm...@apache.org> wrote:

> I did not verify any of this, but the instructions say JSCH supports
> kerberos. From what I could tell the jgss tutorials help -
>
> https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
> http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html
>
> Suresh
>
>
> On Feb 5, 2014, at 10:53 AM, Suresh Marru <sm...@apache.org> wrote:
>
> > I am willing to bet that jcraft supports Kerberos out of the box without
> any code changes but with only subtle configurations like what Amila
> referred below.
> >
> > + 1 on the importance of Kerberos and making it a first class supported
> protocol for credential store.
> >
> > Suresh
> > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <ma...@iu.edu> wrote:
> >
> >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
> >> case.  I'd guess a fair number of computing centers use Kerberos and
> >> kerberized SSH for access.  This would allow us to combine the
> >> advantages (?) of SSH (no grid infrastructure needs to be installed)
> >> with GSI short term credentials (no managing of public keys).
> >>
> >>
> >> Marlon
> >>
> >> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
> >>> JSCH provides user authentication mechanism gssapi-with-mic. We should
> be
> >>> able to use this interface to implement Kerberos based authentication.
> In
> >>> the JCraft library in airvata,  we have modified default GSSAPI
> >>> implementation to incorporate MyProxy (X.509) authentication. We may
> need
> >>> to do some code level changes to get both working at the same code.
> >>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
> >>> what sort of changes we need to do to get Kerberos working with JSCH.
> It
> >>> could be only adding Kerbeors configuration files and JAAS
> configuration
> >>> files, or it could be some code changes we need to do in GSSAPI level.
> We
> >>> may need to further investigate this.
> >>>
> >>> In summary it should be possible to implement Kerberos authentication
> with
> >>> JSCH but not sure how much work. We need to investigate some time and
> >>> figure that out.
> >>>
> >>> Thanks
> >>> Amila
> >>>
> >>>
> >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <
> raminderjsingh@gmail.com>wrote:
> >>>
> >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
> >>>> library to provide the support. As of my experience, /tools/gsissh
> should
> >>>> work with Kerberos authentication. I am not sure about addition to
> x509
> >>>> certificate. X509 certificates are only used with myproxy server.
> >>>>
> >>>> Thanks
> >>>> Raminder
> >>>>
> >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
> >>>>
> >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos
> tickets
> >>>>> in addition to short term x.509 grid credentials? Or would JSCH do
> this
> >>>>> out of the box?
> >>>>>
> >>>>>
> >>>>> Thanks--
> >>>>>
> >>>>>
> >>>>> Marlon
> >>>>>
> >>>>
> >>
> >
>
>

Re: Airavata's gsissh tool and Kerberos

[Suresh Marru <sm...@apache.org>]

I did not verify any of this, but the instructions say JSCH supports kerberos. From what I could tell the jgss tutorials help - 

https://www.mail-archive.com/jsch-users@lists.sourceforge.net/msg01048.html
http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html

Suresh


On Feb 5, 2014, at 10:53 AM, Suresh Marru <sm...@apache.org> wrote:

> I am willing to bet that jcraft supports Kerberos out of the box without any code changes but with only subtle configurations like what Amila referred below.
> 
> + 1 on the importance of Kerberos and making it a first class supported protocol for credential store.
> 
> Suresh 
> On Feb 5, 2014, at 10:44 AM, Marlon Pierce <ma...@iu.edu> wrote:
> 
>> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
>> case.  I'd guess a fair number of computing centers use Kerberos and
>> kerberized SSH for access.  This would allow us to combine the
>> advantages (?) of SSH (no grid infrastructure needs to be installed)
>> with GSI short term credentials (no managing of public keys).
>> 
>> 
>> Marlon
>> 
>> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>>> JSCH provides user authentication mechanism gssapi-with-mic. We should be
>>> able to use this interface to implement Kerberos based authentication. In
>>> the JCraft library in airvata,  we have modified default GSSAPI
>>> implementation to incorporate MyProxy (X.509) authentication. We may need
>>> to do some code level changes to get both working at the same code.
>>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
>>> what sort of changes we need to do to get Kerberos working with JSCH. It
>>> could be only adding Kerbeors configuration files and JAAS configuration
>>> files, or it could be some code changes we need to do in GSSAPI level. We
>>> may need to further investigate this.
>>> 
>>> In summary it should be possible to implement Kerberos authentication with
>>> JSCH but not sure how much work. We need to investigate some time and
>>> figure that out.
>>> 
>>> Thanks
>>> Amila
>>> 
>>> 
>>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <ra...@gmail.com>wrote:
>>> 
>>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>>>> library to provide the support. As of my experience, /tools/gsissh should
>>>> work with Kerberos authentication. I am not sure about addition to x509
>>>> certificate. X509 certificates are only used with myproxy server.
>>>> 
>>>> Thanks
>>>> Raminder
>>>> 
>>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
>>>> 
>>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
>>>>> in addition to short term x.509 grid credentials? Or would JSCH do this
>>>>> out of the box?
>>>>> 
>>>>> 
>>>>> Thanks--
>>>>> 
>>>>> 
>>>>> Marlon
>>>>> 
>>>> 
>> 
> 

Re: Airavata's gsissh tool and Kerberos

[Suresh Marru <sm...@apache.org>]

I am willing to bet that jcraft supports Kerberos out of the box without any code changes but with only subtle configurations like what Amila referred below.

+ 1 on the importance of Kerberos and making it a first class supported protocol for credential store.

Suresh 
On Feb 5, 2014, at 10:44 AM, Marlon Pierce <ma...@iu.edu> wrote:

> Thanks--this may be a useful variation on the "vanilla SSH" gateway use
> case.  I'd guess a fair number of computing centers use Kerberos and
> kerberized SSH for access.  This would allow us to combine the
> advantages (?) of SSH (no grid infrastructure needs to be installed)
> with GSI short term credentials (no managing of public keys).
> 
> 
> Marlon
> 
> On 2/5/14 10:36 AM, Amila Jayasekara wrote:
>> JSCH provides user authentication mechanism gssapi-with-mic. We should be
>> able to use this interface to implement Kerberos based authentication. In
>> the JCraft library in airvata,  we have modified default GSSAPI
>> implementation to incorporate MyProxy (X.509) authentication. We may need
>> to do some code level changes to get both working at the same code.
>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
>> what sort of changes we need to do to get Kerberos working with JSCH. It
>> could be only adding Kerbeors configuration files and JAAS configuration
>> files, or it could be some code changes we need to do in GSSAPI level. We
>> may need to further investigate this.
>> 
>> In summary it should be possible to implement Kerberos authentication with
>> JSCH but not sure how much work. We need to investigate some time and
>> figure that out.
>> 
>> Thanks
>> Amila
>> 
>> 
>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <ra...@gmail.com>wrote:
>> 
>>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>>> library to provide the support. As of my experience, /tools/gsissh should
>>> work with Kerberos authentication. I am not sure about addition to x509
>>> certificate. X509 certificates are only used with myproxy server.
>>> 
>>> Thanks
>>> Raminder
>>> 
>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
>>> 
>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
>>>> in addition to short term x.509 grid credentials? Or would JSCH do this
>>>> out of the box?
>>>> 
>>>> 
>>>> Thanks--
>>>> 
>>>> 
>>>> Marlon
>>>> 
>>> 
> 

Re: Airavata's gsissh tool and Kerberos

[Marlon Pierce <ma...@iu.edu>]

Thanks--this may be a useful variation on the "vanilla SSH" gateway use
case.  I'd guess a fair number of computing centers use Kerberos and
kerberized SSH for access.  This would allow us to combine the
advantages (?) of SSH (no grid infrastructure needs to be installed)
with GSI short term credentials (no managing of public keys).


Marlon

On 2/5/14 10:36 AM, Amila Jayasekara wrote:
> JSCH provides user authentication mechanism gssapi-with-mic. We should be
> able to use this interface to implement Kerberos based authentication. In
> the JCraft library in airvata,  we have modified default GSSAPI
> implementation to incorporate MyProxy (X.509) authentication. We may need
> to do some code level changes to get both working at the same code.
> I am not sure out of the box JSCH supports Kerberos. Also I am not sure
> what sort of changes we need to do to get Kerberos working with JSCH. It
> could be only adding Kerbeors configuration files and JAAS configuration
> files, or it could be some code changes we need to do in GSSAPI level. We
> may need to further investigate this.
>
> In summary it should be possible to implement Kerberos authentication with
> JSCH but not sure how much work. We need to investigate some time and
> figure that out.
>
> Thanks
> Amila
>
>
> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <ra...@gmail.com>wrote:
>
>> JSCH does not do this out of the box. Amila has to extend the Jcraft
>> library to provide the support. As of my experience, /tools/gsissh should
>> work with Kerberos authentication. I am not sure about addition to x509
>> certificate. X509 certificates are only used with myproxy server.
>>
>> Thanks
>> Raminder
>>
>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
>>
>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
>>> in addition to short term x.509 grid credentials? Or would JSCH do this
>>> out of the box?
>>>
>>>
>>> Thanks--
>>>
>>>
>>> Marlon
>>>
>>

Re: Airavata's gsissh tool and Kerberos

[Amila Jayasekara <th...@gmail.com>]

JSCH provides user authentication mechanism gssapi-with-mic. We should be
able to use this interface to implement Kerberos based authentication. In
the JCraft library in airvata,  we have modified default GSSAPI
implementation to incorporate MyProxy (X.509) authentication. We may need
to do some code level changes to get both working at the same code.
I am not sure out of the box JSCH supports Kerberos. Also I am not sure
what sort of changes we need to do to get Kerberos working with JSCH. It
could be only adding Kerbeors configuration files and JAAS configuration
files, or it could be some code changes we need to do in GSSAPI level. We
may need to further investigate this.

In summary it should be possible to implement Kerberos authentication with
JSCH but not sure how much work. We need to investigate some time and
figure that out.

Thanks
Amila


On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh <ra...@gmail.com>wrote:

> JSCH does not do this out of the box. Amila has to extend the Jcraft
> library to provide the support. As of my experience, /tools/gsissh should
> work with Kerberos authentication. I am not sure about addition to x509
> certificate. X509 certificates are only used with myproxy server.
>
> Thanks
> Raminder
>
> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:
>
> > Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
> > in addition to short term x.509 grid credentials? Or would JSCH do this
> > out of the box?
> >
> >
> > Thanks--
> >
> >
> > Marlon
> >
>
>

Re: Airavata's gsissh tool and Kerberos

[Raminder Singh <ra...@gmail.com>]

JSCH does not do this out of the box. Amila has to extend the Jcraft library to provide the support. As of my experience, /tools/gsissh should work with Kerberos authentication. I am not sure about addition to x509 certificate. X509 certificates are only used with myproxy server. 

Thanks
Raminder

On Feb 5, 2014, at 9:57 AM, Marlon Pierce <ma...@iu.edu> wrote:

> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets
> in addition to short term x.509 grid credentials? Or would JSCH do this
> out of the box?
> 
> 
> Thanks--
> 
> 
> Marlon
>