7203 2011-08-17 13:04 GSI-OpenSSH use with current GSSAPI mechglue in MIT Kerberos 2011-08-17 13:43:35 1 1 1 Unclassified GSI-OpenSSH GSI-OpenSSH other All All NEW http://grid.ncsa.illinois.edu/gssapi-mechglue/openssh/ P3 enhancement --- 1 jbasney@ncsa.uiuc.edu jbasney@ncsa.uiuc.edu jbasney@ncsa.uiuc.edu 2011-08-17 13:04:29 To support multiple GSSAPI mechanisms in OpenSSH (i.e., Kerberos and GSI), we use a custom mechglue library forked from an old version of MIT Kerberos, as documented here: http://grid.ncsa.illinois.edu/gssapi-mechglue/openssh/ We learned at a recent Project Moonshot presentation that the GSSAPI mechglue included in the MIT Kerberos distribution has been updated to better support plugging in additional GSSAPI mechanisms (i.e., GSI), so our custom mechglue library should hopefully no longer be required. However, this requires some investigation, testing, and documentation on how to use GSI with the current mechglue capability. I think the first step is to look at how Project Moonshot does it: http://www.project-moonshot.org/devwiki/moonshotapps/ Hopefully we can follow their example for use with GSI. Volunteers from the community to look into this would be much appreciated. To volunteer, please assign this bug to yourself. jbasney@ncsa.uiuc.edu 2011-08-17 13:43:35 I forgot to mention that one very attractive benefit of using mechglue in the MIT Kerberos libraries is that the operating system default OpenSSH is often already linked with those libraries, so it's possible we could avoid needing to distribute separate gsi-openssh packages (RPMs, etc.) and instead load in GSI support at run-time using standard Kerberos-enabled OpenSSH packages.