GSISSH configuration tricks

GSISSH comes included in the Globus Toolkit. You can use it as a full replacement of normal Openssh while retaining the Grid specific advantages, like single sign-on, increased security through use of proxies, automatic proxy forwarding, etc.

The tricks I will describe only work with the command-line version of gsissh as it comes with the Globus Toolkit, but they will not all work with the stand-alone Java version GSISSH-Term.

For the reminder of this document I assume that you have the command-line client of gsissh installed on your system.

Hopping through Door Nodes

Sometimes nodes in a Grid cannot be reached directly. They may be hidden behind a firewall or in a private network, unreachable from the outside. One prominent example are the supercomputers inside the PRACE Grid. They are all interconnected through the private PRACE network, shielded from the public internet. Only a few, so-called door nodes, are also reachable from the public internet. The normal way to log into one of the internal nodes is to first gsissh to a door node, log in there, and then call gsissh from the door node and log in on the desired hidden target node.

Gsissh and Grid's single sign-on paradigm already smoothen the path for the user, as no additional password has to be typed for the second gsissh connection, thanks to automatic proxy forwarding of gsissh. However, the second manual login step is a nuisance and should be avoided.

Luckily, gsissh (but unfortunately not gsissh-Term) honors the ssh configuration file, which is by default located in $HOME/.ssh/config. First we have to add the following line to this file:


Then we set up our path through the door node. In this example we use the SARA door node to reach the otherwise hidden PRACE supercomputer We add the following TWO lines to $HOME/.ssh/config:

ProxyCommand /usr/local/globus-4.2.1/bin/gsissh -X -p 2222 /usr/bin/netcat 2222

We use absolute path names to the executables, as we cannot rely on shell startup files (like .bashrc) being executed on the door node. You will have to adapt the path names to your local PC (this path: /usr/local/globus-4.2.1/bin/gsissh points to your local gsissh binary. It can also be a GT4.0.X binary.) and the door node (this path: /usr/bin/netcat) you are using. We also forward X11 through the use of the -X flag and we specify the gsissh port 2222.

On our local PC it is now very easy to connect to without explicitly specifying the door node:



The same now also works for file transfer between louhi and our local PC. Simply copy the local file /etc/passwd to louhi like this:
gsiscp /etc/passwd

And all of this without having to type passwords again and again!

Using Remote Visualization with TurboVNC

Remote Visualization with TurboVNC and normal ssh on LRZ machines rvs1, gvs1, and gvs2 has been described elsewhere. The easiest way with Grid middleware is to use GSISSH-Term with its built-in TurboVNC.

However, you can also use the command-line gsissh with the nifty config file and tunnel the ports needed automatically. This port tunneling comes handy when you want to use a remote visualization machine behind a restrictive firewall, like rvs1, and the needed ports are not open for you. If the ports are open for you, you do not need an entry in $HOME/.ssh/config!

Since for rvs1 the four ports 5951, 5952, 5953, and 5954 are possible, we will tunnel all four ports. Again we use SARA's p6012 door node to jump into the PRACE network. For the tunneling to work, just add the following two lines (the second line is very long!) to your  $HOME/.ssh/config:

ProxyCommand /usr/local/globus-4.2.1/bin/gsissh -Y -p 2222 -L -L -L -L /usr/bin/netcat 2222

To now start a connection to rvs1 with port tunneling, you simply type on your local PC:
As described elsewhere, you then start a remote session by typing into your rvs1 window:

You need TurboVNC installed on your local PC. How this is done is described elsewhere.

Next you start TurboVNC on your local PC and connect to your localhost on the port that you got assigned by rvnc in the previous step, e.g., 51:


and your remote session starts.

Using Remote Visualization with VirtualGL

Mac OS and Linux users should give VirtualGL with vglconnect a try. This mode gives you more flexibility, since windows from the remote visualisation server appear as regular windows on your desktop. Typically, this mode also offers better performance. However, to use this method, you should be comfortable with the command line. This method of access is called "VGL image transport" or "direct mode" and is described elsewhere. We made a modified vglconnect script that uses gsissh instead of ssh and allows you to connect without having to type your password (twice!).

Again you need to set up the proper hopping through the door node. If you already have the two lines from above with port tunneling for TurboVNC in your $HOME/.ssh/config file, you are already all set. If not, you should add them, either with tunneling (not needed here) as above, or without:

ProxyCommand /usr/local/globus-4.2.1/bin/gsissh -Y -p 2222 /usr/bin/netcat 2222

First, you have to copy this vglconnect script to your local PC. And then you call it on your local PC:
./vglconnect -s

But wait, there is a slight complication for Mac users: your $DISPLAY variable is set to something funny, like /tmp/launch-VrCZZD/:0, which will not work later on. Thus, Mac users have to use an additional option:
./vglconnect -s -display :0
...and, of course, you need to have X11 installed on your Mac.

To test your remote visualization setup, start something visual on the rvs1 system by typing into the rvs1 terminal window, e.g.,
vglrun -d :1.0 /opt/VirtualGL/bin/glxspheres

If you face any problems, please contact