Lab Exercise: Security

Purpose:

This lab will show you how to:

1. Display Certificate Information
2. Proxy Certificates
3. SSHing without a password!
4. Updating your .bash_profile on the server

Display Certificate Information

1. Finding out information about your real certificate is easy.  Use the command: grid-cert-info.  This utility has several options.  The two we will use are -subject and -enddate. 

-subject:  shows your distinguished name (DN)
-enddate:  shows when your certificate expires

2. Issue these commands:

$ grid-cert-info -subject /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon $ grid-cert-info -enddate Nov 5 07:20:17 2006 GMT

The grid-cert-info command without any arguments will display all available information.  Try it!

Proxy Certificates

3. There are two commands that are used when working with proxy certificates: grid-proxy-init and grid-proxy-info.

By entering the following command you will see a list of options that can be used with grid-proxy-init.

$ grid-proxy-init -help

4. In order to generate a new proxy enter the following grid-proxy-init command.  You will be asked to enter your certificate's pass phrase.  Do so and you should see output similar to: 

$ grid-proxy-init Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy ............................................. Done Your proxy is valid until: Wed Feb 23 00:47:13 2005

Your proxy certificate is now ready to use.

5. If you're having problems and need to see additional information, or if you would like the grid-proxy-init command to verify the certificate against the CA certificate to make sure it's valid, the "-debug" and "-verify" arguments can be used as follows:

$ grid-proxy-init -debug -verify User Cert File: /home/mfreemon/.globus/usercert.pem User Key File: /home/mfreemon/.globus/userkey.pem Trusted CA Cert Dir: /home/mfreemon/ldg-3.0//globus/TRUSTED_CA Output File: /tmp/x509up_u500 Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy ......................++++++++++++ ....++++++++++++ Done Proxy Verify OK Your proxy is valid until: Wed Feb 23 00:53:13 2005

This output tells you where your certificate was retrieved from and what directory was used to for the CA certificate.  Your certificate was verified against this CA certificate and then the proxy was created.

6. The grid-proxy-info command is used to display information about an existing proxy certificate.  Enter the following:

$ grid-proxy-info -help

You should see a listing of the various options for this command. 

7. Now enter:

$ grid-proxy-info -timeleft

This command will tell you how much time is left on your current proxy certificate.  If you see a negative number, this means there is no time left on your certificate.  If there is time left you will be shown the number of seconds left on the proxy.  Now, while knowing the number of seconds left is useful, it is not always the best way to have information displayed. 

8. Now enter the same command without any arguments:

$ grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u500 timeleft : 11:59:59

This command gives you all of your user certificate information.

Note the timeleft on the proxy.  If there is no time left you will need to obtain a new proxy certificate using grid-proxy-init.

The other information displayed is defined as follows:

• subject    Distinguished name (DN) of subject
• issuer      DN of issuer (certificate signer)
• identity    DN of the identity represented by the proxy
• type        Type of proxy (full or limited)
• strength   Key size (in bits)
• path        Pathname of proxy file
• timeleft    Time until proxy expires

9. By default, grid-proxy-init sets the expiration time to 12 hours.  You can change this by using the command line option -hours. 

$ grid-proxy-init -hours 8 Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy ................................ Done Your proxy is valid until: Tue Feb 22 21:19:19 2005 $ grid-proxy-info subject : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon/CN=proxy issuer : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon identity : /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon type : full legacy globus proxy strength : 512 bits path : /tmp/x509up_u500 timeleft : 7:59:51

Note the new  timeleft.

10. Another useful command is grid-proxy-destroy.  As the name indicates, this command removes the current proxy certificate you are working with. 

$ grid-proxy-destroy $ grid-proxy-info ERROR: Couldn't find a valid proxy. Use -debug for further information.

As you can see, the proxy certificate has been removed from the system. 

11. Of course, you will need to create a new proxy before continuing with this lab exercise.

$ grid-proxy-init Your identity: /C=US/O=National Center for Supercomputing Applications/CN=Mike Freemon Enter GRID pass phrase for this identity: Creating proxy ............................... Done Your proxy is valid until: Wed Feb 23 01:25:46 2005

SSHing without a password!

12. With a valid proxy certificate, you will be able to ssh to any LSC DataGrid server without having to enter a password!

First, verify that the right ssh is in your path.

$ which ssh ~/ldg-3.0/globus/bin/ssh

The ssh that is found should be in the globus directory under your client toolkit software installation directory.  If this is not the case, verify that you have run the setup program found in the LSC DataGrid client installation directory (i.e. ~/ldg-3.0/setup.sh).  This script updates the environment variables (including PATH) that are needed by the LSC software.

13. With the correct ssh and a valid proxy you should be able to ssh to a valid server.

$ ssh ldas-grid.ligo-la.caltech.edu Posted January 12, 2004: * The operating system on the cluster has been upgraded to Fedora Core 3. * Condor has been upgraded to version 6.7.3. * We have installed the LSC DataGrid Server package on the head node ldas-grid.ligo.caltech.edu. This package is built on top of the Virtual Data Toolkit (VDT) server package. It is installed in /ldcg/ldg. The data grid server contains a number of useful Grid tools like the Grid-OpenSSH client, the Grid-enabled FTP client, and LSCdataFind. To setup your environment to use these tools: if you are a bash used add the following to your .bash_profile: if [ -f "${LSC_DATAGRID_SERVER_LOCATION}/setup.sh" ]; then source ${LSC_DATAGRID_SERVER_LOCATION}/setup.sh fi or if you are a C shell user, add the following to your .login if ( -r "${LSC_DATAGRID_SERVER_LOCATION}/setup.sh" ) then source ${LSC_DATAGRID_SERVER_LOCATION}/setup.csh endif You should remove any older environment variables that you may have set up to access the LSC data grid server. * Please report any problems to ldas_admin_llo@ligo.caltech.edu _______________________________________ [mfreemon@ldas-grid ~]$

You are now logged onto the ligo-server site and didn't have to enter your password.

14. What would happen if you didn't have a valid proxy?

$ grid-proxy-destroy $ ssh ldas-grid.ligo-la.caltech.edu mfreemon@ldas-grid.ligo-la.caltech.edu's password:

You should now see a request for entering you password.

Without a valid proxy certificate, the ssh client reverts back to it's normal authentication mechanisms.  Enter your password and you should be logged onto the server site (if you have one).

In fact, this ssh client is just a normal, standard ssh client with an additional authentication method built-in for grid environments.  As a result, it can be used for any SSH connections to any SSH daemons -- not just grid servers.

 

Updating your .bash_profile on the server

15. Did you notice the messages displayed when you connected to the LLO cluster?  There is one in particular that talks about adding a setup.sh script to your .bash_profile (on the server).  This is a useful and recommended thing to do, so edit your ~/.bash_profile script on the ldas-grid server and append the following lines:

if [ -f "${LSC_DATAGRID_SERVER_LOCATION}/setup.sh" ]; then     source ${LSC_DATAGRID_SERVER_LOCATION}/setup.sh fi