Steve, Sorry to hear this has obviously caused you a great deal of frustration and thank you for taking the time to report the matter so that others can benefit from what you have learned.
I believe it's fair to say that while GSI-OpenSSH has had a great deal of success, there is always room for improvement, much of which comes via suggestions from users who take the time to do so like yourself. I see Jim has already agree to incorporate the change you suggested. Regards, Von Steve White wrote: > Hi, > > Last year, I asked the list how to disable the terribly annoying default > behaviour of gsissh to fall back to ssh password authentication when > grid authentication fails. > > This is essentially a bug. Nevermind *why* it happens. For most cases, > there is no reason for the user to enter a password--it won't work, and > results only in a ****GREAT DEAL OF CONFUSION**** on the part of new > users. Furthermore, this pathological circumstance often trips denial > of use software, which will see repeated grid logins as SSH login > failures, and ban the poor user. > > This is a big problem, not a little one. I personally have lost many > days of time, looking for an answer, figuring out why a user can't log > in, un-banning them, and then consoling them. Some users give up on > Globus altogether because of this stupidity. > > Well, there seems to be an easy answer. I found it (in the openssh man > pages, not in the gsissh docs....why?) > > In the file > $GLOBUS_LOCATION/etc/ssh/ssh_config > add the line > PreferredAuthentications gssapi-keyex,gssapi-with-mic,gssapi > > We have been using this for several months now, with no apparent problems. > > I propose that this line be enabled as the default behavior. > > Any thoughts on this? >
