12-16 April 2010
Uppsala University
Europe/Stockholm timezone

MEG - MyProxy Enabled GSISSHD

Apr 12, 2010, 5:54 PM
Aula (Uppsala University)


Uppsala University

Poster Support services and tools for user communities Poster session


Mr Kevin Haines (STFC)


MEG allows users to logon to a grid-resource using any SSH-enabled client, so long as they have uploaded a credential to a MyProxy server. MEG accepts the username and password to the credential from the SSH client and retrieves the proxy on behalf of the user, and the uses the proxy to determine if the login can proceed. Resource providers benefit too, as only grid-based authentication mechanisms are needed, so a UI box can be implemented without adding an additional layer of user management.

Detailed analysis

The user starts by using his certificate to generate a credential that is stored in a MyProxy server. The Myproxy Upload Tool [1] can be used to accomplish this task. During this operation the user will select a username and password that allows the credential to be retrieved at a later time.
At any point during the lifetime of the delegated credential, the user can run an SSH (or SFTP) client of choice to connect to the MEG resource. To login, the user supplies the username and password of his MyProxy credential. Then, MEG uses these to retrieve the credential from the MyProxy server, and uses that credential to authenticate the user against the resource. Assuming this succeeds, the user is logged into the resource, where a proxy credential will be waiting in the environment for further use.

Justification for delivering demo and/or technical requirements (for demos)

Laptop (own supplied), and if possible a large screen.


MEG is a benefit for all users of X509-based grid resources, by enabling them to choose which SSH client they want to use. It is lightweight, small, and easy to maintain and understand, and removes the need to maintain SSH-based portals (which require further user account management).

Conclusions and Future Work

The system has proved very popular with users at STFC and on the UK-NGS. Further extensions to this system should be simple due to the very modular nature of the solution.

Further benefits have been proved within STFC, using a MyProxy-SSO (Single Sign On) server, and the UK NGS is looking at providing a Shibboleth-based extension.

Keywords gsisshd ssh myproxy meg
URL for further information http://wiki.ngs.ac.uk/index.php?title=KGSISSHD

Primary author

Mr Kevin Haines (STFC)

Presentation materials

There are no materials yet.