Diagnosis of Common GSI-OpenSSH Issues

Commonly, those issues which are shared between the server and client also manifest themselves in other programs which rely on the GSI authentication type. One way to weed out a lot of problems is to verify that any other commonplace GSI programs work correctly (e.g. globus-gatekeeper, etc.). As it turns out, verifying that those other programs run as expected is a useful way to determine if the problem in a given case is being caused as result of the GSI-OpenSSH packages, or based on a misconfigured system environment.

Disparate system clocks

Verify that the clocks on the machines between which you are trying to connect agree. If the clocks are not properly synchronized, your connection attempt may fail. For example, the server may gather based on its local time that the certificate you are using is not yet valid, or has already expired, and refuse the connection.

Missing certificates or keys

Make sure that all of the required certificate and key files are present and their permissions are correctly set. While your public certificate can be world-readable, to ensure proper security of your key, that file must only be readable by its owner. Any other permissions on the file will cause a GSI-OpenSSH run-time error. For more information on GSI configuration, please see the Globus Toolkit Admin Guide.

Password authentication fails

If password authentication is not working for your GSI-OpenSSH server, verify that you set the needed configure options with GSI_OPENSSH_GPTMACRO when you installed GSI-OpenSSH. Some platforms require the --with-pam and/or --with-md5-passwords options. Also check the configuration in $GLOBUS_LOCATION/etc/ssh/sshd_config. You may need to set PasswordAuthentication and/or UsePam to yes in that file.