Hello Steve, I don't remember you asking how to disable attempts at password authentication when GSI authentication fails. Looking in the archives (http://www.globus.org/mail_archive/gt-user/2008/06/msg00066.html), I see that you asked why the GSI-OpenSSH server logs a message about the "none" method before GSI authentication succeeds. If you had asked about how to disable password authentication, I could have certainly pointed you to OpenSSH's PreferredAuthentications setting.
In any case, I think your proposal is a good one, and I'd be happy to make the change in the default ssh_config for the next release. -Jim Steve White wrote: > Hi, > > Last year, I asked the list how to disable the terribly annoying default > behaviour of gsissh to fall back to ssh password authentication when > grid authentication fails. > > This is essentially a bug. Nevermind *why* it happens. For most cases, > there is no reason for the user to enter a password--it won't work, and > results only in a ****GREAT DEAL OF CONFUSION**** on the part of new > users. Furthermore, this pathological circumstance often trips denial > of use software, which will see repeated grid logins as SSH login > failures, and ban the poor user. > > This is a big problem, not a little one. I personally have lost many > days of time, looking for an answer, figuring out why a user can't log > in, un-banning them, and then consoling them. Some users give up on > Globus altogether because of this stupidity. > > Well, there seems to be an easy answer. I found it (in the openssh man > pages, not in the gsissh docs....why?) > > In the file > $GLOBUS_LOCATION/etc/ssh/ssh_config > add the line > PreferredAuthentications gssapi-keyex,gssapi-with-mic,gssapi > > We have been using this for several months now, with no apparent problems. > > I propose that this line be enabled as the default behavior. > > Any thoughts on this?
smime.p7s
Description: S/MIME Cryptographic Signature
