[GE users] SSH Integrations -tight-ssh

mhanby mhanby at uab.edu
Tue Sep 22 19:47:24 BST 2009


Not urgent, we are testing this out on a virtual machine along with some other GE upgrade installs.

We'd like to get better accounting/reporting for our jobs than we currently get with the standard Rocks installed GE.

The way I understand it, in order to get accurate accounting, we need to either compile -tight-ssh or use rsh for job control, and setting up tight integration PEs?

Thanks for looking into this.

Mike

-----Original Message-----
From: rayson [mailto:rayrayson at gmail.com] 
Sent: Tuesday, September 22, 2009 10:10 AM
To: users at gridengine.sunsource.net
Subject: Re: [GE users] SSH Integrations -tight-ssh

Hmm, I have not built the SSH tight integration for a long time. I
think I will try with the versions that you are using during the
coming weekend.

(BTW, I hope it is not urgent -- otherwise just let me know)

Rayson



On 9/22/09, mhanby <mhanby at uab.edu> wrote:
> If I run the following without patching sshd.c, openssh will compile fine
> ./aimk -no-dump -no-jni -no-java -tight-ssh
>
> If I compile with the patched sshd.c it fails with this error:
>
> gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o sshpty.o sshlogin.o servconf.o serverloop.o auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o auth-krb5.o auth2-gss.o gss-serv.o gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o audit-bsm.o -L. -Lopenbsd-compat/ -L/home/mhanby/software/ge6.2u3-source/rocks5.2-BUILD/sge-V62u3/gridengine/source/usr/lib   -L/home/mhanby/software/ge6.2u3-source/rocks5.2-BUILD/sge-V62u3/gridengine/source/usr/lib/ -L. -rdynamic -Wl,-rpath,\$ORIGIN/../../lib/lx26-amd64 -lssh -lopenbsd-compat   -lcrypto -lutil -lz -lnsl  -L../../../LINUXAMD64_26 -L../../../3rdparty/remote/LINUXAMD64_26/ -lsgeremote -luti -lcommlists -llck -lrmon  -ljemalloc -lm -lpthread  -lcrypt -lresolv -lresolv
> ../../../3rdparty/remote/LINUXAMD64_26//libsgeremote.a(err_trace.o): In function `shepherd_error':
> err_trace.c:(.text+0x1050): undefined reference to `g_new_interactive_job_support'
> collect2: ld returned 1 exit status
> make: *** [sshd] Error 1
> not done
>
> These are the full list of aimk commands that lead up to the building of -tight-ssh
>
> ./aimk -only-depend -no-dump
> scripts/zerodepend
> ./aimk -no-dump depend
> ./aimk -no-dump -no-jni -no-java
> ./aimk -no-dump -no-jni -no-java -tight-ssh
>
> And here's the patch file
> --- sshd.c      2009-01-27 23:31:23.000000000 -0600
> +++ sshd-sge.c  2009-09-21 11:19:50.000000000 -0500
> @@ -695,7 +695,11 @@
>        RAND_seed(rnd, sizeof(rnd));
>
>        /* Drop privileges */
> +#ifdef SGESSH_INTEGRATION
> +       sgessh_do_setusercontext(authctxt->pw);
> +#else
>        do_setusercontext(authctxt->pw);
> +#endif
>
>  skip:
>        /* It is safe now to apply the key state */
> @@ -1257,6 +1261,9 @@
>  #endif
>        __progname = ssh_get_progname(av[0]);
>        init_rng();
> +#ifdef SGESSH_INTEGRATION
> +       sgessh_readconfig();
> +#endif
>
>        /* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
>        saved_argc = ac;
>
> I'm using the same version of openssh as exists on the system, OpenSSH_4.3p2, OpenSSL 0.9.8e
>
> thanks for any insight,
>
> Mike
>
> -----Original Message-----
> From: rayson [mailto:rayrayson at gmail.com]
> Sent: Monday, September 21, 2009 10:03 AM
> To: users at gridengine.sunsource.net
> Subject: Re: [GE users] SSH Integrations -tight-ssh
>
> On 9/21/09, mhanby <mhanby at uab.edu> wrote:
> > I've been reading through the examples, instructions, etc... on the web regarding building tight integration with SSH.
> >
> > I see some old posts that reference patching sshd.c (and in some examples other openssh source files).
> >
> > Is this still necessary with 6.2u3? Or does -tight-ssh do the patching on the fly (or not need it)? If it is necessary to patch the source files for openssh, where do I obtain the diff files?
>
> There are 2 tight SGE-SSH integrations:
>
> "Secure SGE Using Kerberos5, SSH and Accessing AFS"
>
> and
>
> "SGE-openSSH Tight Integration"
>
> You can find the details of both at:
>
> http://gridengine.sunsource.net/workshop10-12.09.07/proceedings.html
>
> The 2nd one requires building with "-tight-ssh", and as of now you
> still need to patch sshd.c in the OpenSSH source code.
>
> Rayson
>
>
>
>
> >
> > I'm building it as follows:
> >
> > 1. Extract openssh-5.2p1.tar.gz to 3rdparty and rename the directory to 3rdparty/openssh
> > 2. Build Grid Engine:
> > ./aimk -only-depend -no-dump
> > scripts/zerodepend
> > ./aimk -no-dump depend
> > ./aimk -no-dump -no-jni -no-java
> > ./aimk -no-dump -no-jni -no-java -tight-ssh
> > ./aimk -no-dump -man
> >
> > Following the build, I see the ssh binaries have been built, so -tight-ssh is successful in that regard.
> >
> > Thanks, Mike
> >
> > ------------------------------------------------------
> > http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=218211
> >
> > To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
> >
>
> ------------------------------------------------------
> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=218215
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>
> ------------------------------------------------------
> http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=218380
>
> To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].
>

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=218397

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].

------------------------------------------------------
http://gridengine.sunsource.net/ds/viewMessage.do?dsForumId=38&dsMessageId=218447

To unsubscribe from this discussion, e-mail: [users-unsubscribe at gridengine.sunsource.net].



More information about the gridengine-users mailing list