Hi Steve,

I recently had to solve the same problem.
But I found a solution in the gsissh documentation under
"Allowing only GSI Authentication":

http://grid.ncsa.uiuc.edu/ssh/admin.html#ssh_config

I also found the following answer from the mailinglist archive of gsissh:

http://www-unix.globus.org/mail_archive/gsi-openssh/2007/04/msg00002.html

The solution proposed there worked very well for me.

Regards,
Andreas Maier


Steve White wrote:
> Hi,
> 
> Last year, I asked the list how to disable the terribly annoying default
> behaviour of gsissh to fall back to ssh password authentication when
> grid authentication fails.
> 
> This is essentially a bug.  Nevermind *why* it happens.  For most cases,
> there is no reason for the user to enter a password--it won't work, and
> results only in a ****GREAT DEAL OF CONFUSION**** on the part of new 
> users.  Furthermore, this pathological circumstance often trips denial 
> of use software, which will see repeated grid logins as SSH login 
> failures, and ban the poor user.
> 
> This is a big problem, not a little one.  I personally have lost many
> days of time, looking for an answer, figuring out why a user can't log
> in, un-banning them, and then consoling them.  Some users give up on
> Globus altogether because of this stupidity.
> 
> Well, there seems to be an easy answer.  I found it (in the openssh man
> pages, not in the gsissh docs....why?)
> 
> In the file
>       $GLOBUS_LOCATION/etc/ssh/ssh_config
> add the line 
>       PreferredAuthentications        gssapi-keyex,gssapi-with-mic,gssapi
> 
> We have been using this for several months now, with no apparent problems.
> 
> I propose that this line be enabled as the default behavior.
> 
> Any thoughts on this?
> 

Reply via email to