Hi,
Last year, I asked the list how to disable the terribly annoying default
behaviour of gsissh to fall back to ssh password authentication when
grid authentication fails.
This is essentially a bug. Nevermind *why* it happens. For most cases,
there is no reason for the user to enter a password--it won't work, and
results only in a ****GREAT DEAL OF CONFUSION**** on the part of new
users. Furthermore, this pathological circumstance often trips denial
of use software, which will see repeated grid logins as SSH login
failures, and ban the poor user.
This is a big problem, not a little one. I personally have lost many
days of time, looking for an answer, figuring out why a user can't log
in, un-banning them, and then consoling them. Some users give up on
Globus altogether because of this stupidity.
Well, there seems to be an easy answer. I found it (in the openssh man
pages, not in the gsissh docs....why?)
In the file
$GLOBUS_LOCATION/etc/ssh/ssh_config
add the line
PreferredAuthentications gssapi-keyex,gssapi-with-mic,gssapi
We have been using this for several months now, with no apparent problems.
I propose that this line be enabled as the default behavior.
Any thoughts on this?
--
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Steve White +49(331)7499-202
| e-Science / AstroGrid-D Zi. 35 Bg. 20
| - - - - - - - - - - - - - - - - - - - - - - - - -
| Astrophysikalisches Institut Potsdam (AIP)
| An der Sternwarte 16, D-14482 Potsdam
|
| Vorstand: Prof. Dr. Matthias Steinmetz, Peter A. Stolz
|
| Stiftung privaten Rechts, Stiftungsverzeichnis Brandenburg: III/7-71-026
| - - - - - - - - - - - - - - - - - - - - - - - - -
