Once I finish the Orchestrator work I can look in to this, if this is not urgent.
Regards Lahiru On Wed, Feb 5, 2014 at 5:07 PM, Suresh Marru <[email protected]> wrote: > I did not verify any of this, but the instructions say JSCH supports > kerberos. From what I could tell the jgss tutorials help - > > https://www.mail-archive.com/[email protected]/msg01048.html > http://www.docjar.com/docs/api/com/jcraft/jsch/jgss/GSSContextKrb5.html > > http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/index.html > > http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html > > Suresh > > > On Feb 5, 2014, at 10:53 AM, Suresh Marru <[email protected]> wrote: > > > I am willing to bet that jcraft supports Kerberos out of the box without > any code changes but with only subtle configurations like what Amila > referred below. > > > > + 1 on the importance of Kerberos and making it a first class supported > protocol for credential store. > > > > Suresh > > On Feb 5, 2014, at 10:44 AM, Marlon Pierce <[email protected]> wrote: > > > >> Thanks--this may be a useful variation on the "vanilla SSH" gateway use > >> case. I'd guess a fair number of computing centers use Kerberos and > >> kerberized SSH for access. This would allow us to combine the > >> advantages (?) of SSH (no grid infrastructure needs to be installed) > >> with GSI short term credentials (no managing of public keys). > >> > >> > >> Marlon > >> > >> On 2/5/14 10:36 AM, Amila Jayasekara wrote: > >>> JSCH provides user authentication mechanism gssapi-with-mic. We should > be > >>> able to use this interface to implement Kerberos based authentication. > In > >>> the JCraft library in airvata, we have modified default GSSAPI > >>> implementation to incorporate MyProxy (X.509) authentication. We may > need > >>> to do some code level changes to get both working at the same code. > >>> I am not sure out of the box JSCH supports Kerberos. Also I am not sure > >>> what sort of changes we need to do to get Kerberos working with JSCH. > It > >>> could be only adding Kerbeors configuration files and JAAS > configuration > >>> files, or it could be some code changes we need to do in GSSAPI level. > We > >>> may need to further investigate this. > >>> > >>> In summary it should be possible to implement Kerberos authentication > with > >>> JSCH but not sure how much work. We need to investigate some time and > >>> figure that out. > >>> > >>> Thanks > >>> Amila > >>> > >>> > >>> On Wed, Feb 5, 2014 at 10:20 AM, Raminder Singh < > [email protected]>wrote: > >>> > >>>> JSCH does not do this out of the box. Amila has to extend the Jcraft > >>>> library to provide the support. As of my experience, /tools/gsissh > should > >>>> work with Kerberos authentication. I am not sure about addition to > x509 > >>>> certificate. X509 certificates are only used with myproxy server. > >>>> > >>>> Thanks > >>>> Raminder > >>>> > >>>> On Feb 5, 2014, at 9:57 AM, Marlon Pierce <[email protected]> wrote: > >>>> > >>>>> Will Airavata's gsissh tool (/tools/gsissh) work with Kerberos > tickets > >>>>> in addition to short term x.509 grid credentials? Or would JSCH do > this > >>>>> out of the box? > >>>>> > >>>>> > >>>>> Thanks-- > >>>>> > >>>>> > >>>>> Marlon > >>>>> > >>>> > >> > > > > -- System Analyst Programmer PTI Lab Indiana University
