Hi Steve, I recently had to solve the same problem. But I found a solution in the gsissh documentation under "Allowing only GSI Authentication":
http://grid.ncsa.uiuc.edu/ssh/admin.html#ssh_config I also found the following answer from the mailinglist archive of gsissh: http://www-unix.globus.org/mail_archive/gsi-openssh/2007/04/msg00002.html The solution proposed there worked very well for me. Regards, Andreas Maier Steve White wrote: > Hi, > > Last year, I asked the list how to disable the terribly annoying default > behaviour of gsissh to fall back to ssh password authentication when > grid authentication fails. > > This is essentially a bug. Nevermind *why* it happens. For most cases, > there is no reason for the user to enter a password--it won't work, and > results only in a ****GREAT DEAL OF CONFUSION**** on the part of new > users. Furthermore, this pathological circumstance often trips denial > of use software, which will see repeated grid logins as SSH login > failures, and ban the poor user. > > This is a big problem, not a little one. I personally have lost many > days of time, looking for an answer, figuring out why a user can't log > in, un-banning them, and then consoling them. Some users give up on > Globus altogether because of this stupidity. > > Well, there seems to be an easy answer. I found it (in the openssh man > pages, not in the gsissh docs....why?) > > In the file > $GLOBUS_LOCATION/etc/ssh/ssh_config > add the line > PreferredAuthentications gssapi-keyex,gssapi-with-mic,gssapi > > We have been using this for several months now, with no apparent problems. > > I propose that this line be enabled as the default behavior. > > Any thoughts on this? >
