I am willing to bet that jcraft supports Kerberos out of the box without any code changes but with only subtle configurations like what Amila referred below.
+ 1 on the importance of Kerberos and making it a first class supported protocol for credential store. Suresh On Feb 5, 2014, at 10:44 AM, Marlon Pierce <[email protected]> wrote: > Thanks--this may be a useful variation on the "vanilla SSH" gateway use > case. I'd guess a fair number of computing centers use Kerberos and > kerberized SSH for access. This would allow us to combine the > advantages (?) of SSH (no grid infrastructure needs to be installed) > with GSI short term credentials (no managing of public keys). > > > Marlon > > On 2/5/14 10:36 AM, Amila Jayasekara wrote: >> JSCH provides user authentication mechanism gssapi-with-mic. We should be >> able to use this interface to implement Kerberos based authentication. In >> the JCraft library in airvata, we have modified default GSSAPI >> implementation to incorporate MyProxy (X.509) authentication. We may need >> to do some code level changes to get both working at the same code. >> I am not sure out of the box JSCH supports Kerberos. Also I am not sure >> what sort of changes we need to do to get Kerberos working with JSCH. It >> could be only adding Kerbeors configuration files and JAAS configuration >> files, or it could be some code changes we need to do in GSSAPI level. We >> may need to further investigate this. >> >> In summary it should be possible to implement Kerberos authentication with >> JSCH but not sure how much work. We need to investigate some time and >> figure that out. >> >> Thanks >> Amila >> >> >> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh >> <[email protected]>wrote: >> >>> JSCH does not do this out of the box. Amila has to extend the Jcraft >>> library to provide the support. As of my experience, /tools/gsissh should >>> work with Kerberos authentication. I am not sure about addition to x509 >>> certificate. X509 certificates are only used with myproxy server. >>> >>> Thanks >>> Raminder >>> >>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <[email protected]> wrote: >>> >>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos tickets >>>> in addition to short term x.509 grid credentials? Or would JSCH do this >>>> out of the box? >>>> >>>> >>>> Thanks-- >>>> >>>> >>>> Marlon >>>> >>> >
