Authd is a simple SSL-based authentication mechanism that makes it simple to authenticate users on clusters. Authd was written by Brent N. Chun and is part of the Ganglia package. Authd is used by gexec to launch processes on cluster nodes. We really like gexec and authd. Although gexec is supremely capable for launching jobs, we also thought it would be cool to add authd as an authentication method to OpenSSH. Our patches and source code below do just that. On systems with Ganglia/authd/gexec installed, one can add the modified ssh and use authd for reasonably secure, password-less user authentication on the cluster without any set-up required by the user.
Brent N. Chun's authd-specific web page is here: ? http://www.theether.org/authd
The Ganglia project web page can be found here: ? http://ganglia.sourceforge.net
OpenSSH information is available at: ? http://openssh.org
FILES
libe-0.2.2.tar.gz ? |
Brent N. Chun's libe library source code (unmodified, required for authd compilation) |
authd-0.2.1r.tar.gz ? |
A revision of Brent N. Chun's authd-0.2.1 code that uses the OpenSSL EVP functions. This should be a drop-in replacement for authd-0.2.1. |
authd-0.2.1.patch ? |
A patch for authd-0.2.1r against the authd-0.2.1 code. |
gexec-0.3.5r.tar.gz ? |
The Ganglia execution system--gexec (unmodified, except to point to the new auth.h header location). |
openssh-3.9p1-authd-0.1.tar.gz ? |
A modified OpenSSH that includes authd authentication for protocols 1 and 2. This code works well, but still needs to be reviewed and cleaned up. |
openssh-3.9p1.patch ? |
A patch for openssh-3.9.p1-authd-0.1 against the original openssh-3.9.p1 source. |
|
http://www.openssl.org/source/openssl-0.9.7d.tar.gz ? |
A link to the most current OpenSSL library (as of this writing). This library may be required to successfully compile the above programs, depending on your system. Click here for a link to all of the OpenSSL project source files. |
? |
A link to the home of the "Massively Spiffy Yet Delicately Unobtrusive" zlib compression library--zlib might be needed to be installed on your system in order to compile OpenSSH. |
|
Installation notes
The code was written on an x86 SuSE 9.1 machine. Installation proceeds something like this:
1. Generate an RSA public/private key pair as outlined in the DOC file in the authd-0.2.1r directory.
2. Do the following for libauth and authd:
./configure; make; make install
NOTE: In order to compile successfully on RedHat Fedora Core 1, we had to install openssl-0.9.7d and pass the following flags to the authd configure step:
./configure CPPFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl"
We also had to install zlib.
3. Run
./configure;make
for OpenSSH with appropriate configure options. Optionally, run
make install
or test it first as outlined in step 5.
4. Edit the appropriate sshd_config file and set "UseAuthdAuthentication" to "yes."
5. You can test the sshd/ssh server/client in two terminal windows in the OpenSSH directory with something like:
/sshd -ddd -p 999
(Run as root in the first terminal. The -ddd option puts the daemon in debugging mode, the -p 999 option runs it on a non-standard port of 999 for testing purposes.
./ssh -vvv -p 999 127.0.0.1
The -vvv option puts the ssh client in debugging mode and -p sets it to use our testing port of 999. If the authd daemon is running and the RSA keys are set up, the system should authenticate you. It should work for all supported protocols (-1 and -2) and with or without privilege separation.
About authd
Authd operation is simple. A user application asks the locally running authd daemon to sign a message digest containing the user's id. The message is transmitted by the application to a client (e.g., a cluster node), which uses a common public key to veryify the message digest and authenticate the user.
Authd is used by the gexec execution component of Ganglia. We also recently (August, 2004) added an authentication method to OpenSSH (protocols 1.x and 2) that uses authd to simplify SSH use on clusters. Our authd-variation of SSH provides ease of use similar to the rhosts/shosts method but with better security.
We made our changes to the authd code in order to bring it up-to-date with the current state of the OpenSSL library function calls. Our intention was to make as few changes as possible to maintain backward-compatability with existing authd insallations and client programs (in particular gexec).
We plan to continue to support authd/gexec/OpenSSH-authd in accordance with open-source software guidelines as best we can. We created this web page to initially disseminate our modification to the code.