More tidbits:
"Globus toolkit 6" implements the grid security infrastructure. [1] It includes
a modified version of openssh (which accepts PKI certificates) and a per-machine
DN-to-local-user mapping file. RPMs have been released for Fedora 19/20 and RHEL/Centos
5,6,7.
As I understand it, grid logins are via proxy certificates which are derived from your
end-entity-certificate and have a limited life. These are managed by myproxy, which can
leverage Kerberos authentication on local identities to control release of keys [2].
Positing a cluster using FreeIPA/sssd for local user management, which is running
GSI-enabled openssh, would sssd have an opportunity to map DNs to local users (and
potentially centralize this mapping by referring to an LDAP server)? Likewise, would sssd
have an opportunity to obtain a Kerberos ticket for the local user via S4Uself/proxy based
on a successful PKI authentication?
Sorry for having this trickle in slowly. I'm playing catchup here.
Bryce
[1]
http://toolkit.globus.org/toolkit/docs/6.0/admin/quickstart/#quickstart
[2]
http://grid.ncsa.illinois.edu/myproxy/pam.html#krb5
This electronic message contains information generated by the USDA solely for the intended
recipients. Any unauthorized interception of this message or the use or disclosure of the
information it contains may violate the law and subject the violator to civil or criminal
penalties. If you believe you have received this message in error, please notify the
sender and delete the email immediately.