GSI-SSHTerm

From MyWiki

Contents 1 Links 2 Current Status 3 Usability Issues 4 Issues Reported to GSI-SSHTerm Team 5 Project Plan 6 TeraGrid Test Plan 7 CVS

Links

• NCSA GSI-SSHTerm Software Distribution Links
• UK NGS Wiki Documentation
• UK NGS Launch Page
• UK NGS Files
• SourceForge Project Pages for GSI-SSHTerm and SSHTools
• Draft NCSA Documentation
• Other Java SSH implementations: jcraft

Current Status

February 13, 2009:

• 0.91g (unofficial) incorporated and released. At the request of Rion Dooley <dooley@tacc.utexas.edu>, I rebuilt the jar files to incorporate the updated TACC CA policy files into the certificates.zip file. I took the opportunity to check out the latest code from SourceForge CVS (thus the "unofficial" designation for 0.91g) even though nothing much has changed in the past year.

July 9, 2008:

• Revised the ant build.xml script for jar signing changes. All files are now distributed in a single GSI-SSHTerm-*.jar file (actually one for "ncsa" and one for "teragrid"). The jar is signed so as to make the publisher field display either "TeraGrid" or "National Center for Supercomputing Applications".

January 11, 2008:

• 0.91c Incorporated and released. Fixed various bugs with tunneling. I tested both the JWS and applet versions on Mac (Safari) and XP (Firefox) connecting to all TG sites listed at the TeraGrid User Portal.

August 16, 2007:

• 0.90b Incorporated and released. Fixed minor bug to stop hanging connection after 1 hour. Also added help links to "Beginner" and "Advanced" help text pages.

July 18, 2007:

• 0.90a Incorporated and released. Fixed minor connection hang bug.

July 12, 2007:

• 0.90 Incorporated and released.
• Fixed several "lock-up" bugs and incorporated Java version testing on applet page.

May 7, 2007:

• 0.84 Incorporated and released.
• SFTP bug fixes mainly.

April 30, 2007:

• More testing of the application on teragrid.org sites. See GSI-SSHTerm Testing for current status.

April 19, 2007:

• 0.83 Incorporated and released
• Improvements primarily to the SFTP portion of the application.

April 5, 2007:

• 0.82 Incorporated and released
• David Spence has release 0.82. We are incorporating into our CVS.

April 4, 2007:

• Waiting on David to incorporate fixes into CVS
  • Got email on March 13th in which he addressed Weddie's 5 issues from March 12th email
  • Terry will email David Spence with regards to status
• Terry to test all TG nodes - see #TeraGrid Test Plan and GSI-SSHTerm Testing
• There is a outstanding issue of first connections on Mac sometimes failing. Not sure how to fix at this time.
• Terry will write a set of user document linked to the current distribution page.
  • Sections for general applicability, NCSA and TeraGrid.

Usability Issues

Requested:

• Delegate an RFC compliant impersonation proxy by default rather than a full legacy proxy. | Fixed in NCSA CVS
  • Updated to jglobus 1.7, requesting UK GSI-SSHTerm maintainers contribute their MyProxy SASL/Kerberos extensions to JGlobus

Other Peculiarities:

• Focus issues on applet when the MyProxy Prompt window is not user-initiated. Specific to Firefox (3.0, 3.5.3) on Mac OS X (10.5.8). Results in inability to enter text.
  • Mac OS X 10.5.8 Safari 4.0.3 is fine. Windows Vista Firefox 3.5.3 is fine. Ubuntu 9.04 Firefox 3.0 was fine...
  • Firefox 64-bit build is not available yet to test Java 6 64-bit on Mac

• Under Linux, SunJDK Java 6 can be very slow to load GSI-SSHTerm applet compared to other applets (File Manager applet was reasonable). May be specific to Ubuntu 9.04 (32 or 64 bit), Firefox 3.0 or 3.5.
  • Could not reproduce the issue from within NCSA network, on the latest alpha of Ubuntu 9.10

• OpenJDK Java 6 behaves weirdly with the applet and the credentials passed in as an applet parameter (TGUP)
  • Reauthentication via MyProxy prompt sometimes necessary after first connection (Ubuntu)
  • Unexpected cert error (Fedora 11)
  • Can't get instance of DH KeyPairGenerator for either applet or application (transient?, Ubuntu)

• Applet message: "Netscape security model is no longer supported. Please migrate to the Java 2 security model instead."
  • At least some of these come from the Cryptix provider libs, no active development since 2005, not much I can do

Fixed:

• Option to destroy the proxy on logout. | Fixed in SourceForge CVS
• Mac OS X screen refresh problems. | Mostly fixed. Block cursor still disappears sometimes.
• Scroll bar is broken on Mac OS X? | Fixed in SourceForge CVS
• view->fullscreen does bad things on Mac OS X | Works for me - press <ALT>+F
• connection times out after a few minutes? | Unable to duplicate
• portal should be able to pass existing GSSCredentials to the applet to avoid a second authentication | Fixed in SourceForge CVS
• Add JRE auto-install logic to the JWS pages. | Done.

jsiwek fixes (to 0.91g):

• Skip corrupted lines in the known_hosts file rather than throwing an exception. | Fixed in NCSA CVS, patch submitted to NGS
• When the applet/application launches, immediately activate (pop up) the New Connection dialog (from the File menu) to prompt the user for the host to connect to. | Fixed in NCSA CVS
• Closing the MyProxy connection prompt should not inform the user via an exception window that they canceled the connection | Fixed in NCSA CVS
• Error message for bad myproxy login ID should consistently use the same error format as the bad password error message | Fixed in NCSA CVS
• Do not read known_hosts when using external-keyx authentication | Fixed in NCSA CVS
• Change logging level to WARN on this startup message: "[AWT-EventQueue-0] ERROR ui.SshToolsApplicationPanel - Can't find menu Help" | Fixed in NCSA CVS, patch submitted to NGS
• BrowserLauncher updated to BareBonesBrowserLaunch to get Help menu items to properly open default web browser on Mac & Linux. | Fixed in NCSA CVS, patch submitted to NGS
• Word wrapping at 130 characters added for the error dialogs | Fixed in NCSA CVS, patch submitted to NGS
• In the applet, provide the ability to force use of the external-keyx authentication method only. If authentication fails, show the error reason, rather than prompting the user to pick a different authentication method (i.e., what it currently does). | Fixed in NCSA CVS (sshapps.auth.methods property now takes a list of preferred authentication methods)
• Removed "Try Another Method" button from the "MyProxyPrompt" window because it did nothing and is misleading | Fixed in NCSA CVS
• Make CR the default end-of-line character to avoid the often incorrectly guessed default of CRLF (which would cause an extra, annoying newline upon pressing enter/return) | Fixed in NCSA CVS
• Better error handling and more suggestive hints (hints about inaccurate local system clock when using gsscredential applet parameter and hints about local CA certs/CRLs) | Fixed in NCSA CVS
  • patch to JGlobus GlobusCredential.verify() (for doing full path validation instead of just expiration date checks) | Fixed in JGlobus CVS

Issues Reported to GSI-SSHTerm Team

Reported:

• Mac OS X usage behaviours
  • Font text is not clean in application/applet's session area.
• Bad Username/password error message, may need to be clearer for experienced and novice users.

Resolved:

• Keep proxy around for subsequent logins.
• Scroll bar is non functional.
• Text in the session area seems to disappear and reappear, possible screen refresh issue. Issue stems from Mac OS X Java event queue implementation. Mostly fixed. Now only the block cursor sometimes disappears upon CRLF.
• Currently no way to view proxy info or destroy proxy through GSI-SSHTerm.- FIXED! New Proxy pulldown menu added to do both.
• Full Screen Toggling works when going to full screen mode but is kludgy when trying to get out of full screen mode. - Use <ALT>+F on Mac OS X, Use right-click popup menu on WinXP.

Project Plan

• DONE: [Weddie] Prepare a GSI-SSHTerm build containing the NCSA/TG CA certificates in the the jar's res/certificates directory so they are installed automatically.

• DONE: [Weddie] Report to the GSI-SSHTerm developers the bug requiring X11 to be running on MacOS X to use the application.

• DONE: [Terry] Setup a CVS repository at NCSA for the GSI-SSHTerm code to enable ongoing support, using a CVS "vendor branch", incorporating Weddie's modifications to-date. Synchronize with the latest version in the SourceForge project's CVS.

• DONE: [Terry] Prepare the following GSI-SSHTerm packages to be hosted on www.ncsa.uiuc.edu, signed with NCSA certificates:
  • GSI-SSHTerm applet for NCSA users: Runs GSI-SSHTerm in a web browser, using myproxy.ncsa.uiuc.edu.
  • GSI-SSHTerm applet for TG users: Runs GSI-SSHTerm in a web browser, using myproxy.teragrid.org.
  • GSI-SSHTerm JWS application for NCSA users: Runs GSI-SSHTerm from the desktop, using myproxy.ncsa.uiuc.edu.
  • GSI-SSHTerm JWS application for TG users: Runs GSI-SSHTerm from the desktop, using myproxy.teragrid.org.

• DONE: [Terry] Create documentation and scripts for making these packages, so it's easy to make new NCSA releases with the GSI-SSHTerm team makes new releases, or when we need to update the CA certificate bundle, or when we need to fix a bug ourselves.

• DONE: [Terry] Resolve usability issues identified by TG Services WG.

• DONE: [Terry] Modify build.xml script to put all classes into a single JAR file for easy upgrading.

• IN PROGRESS:[Weddie] Update documentation and coordinate a final round of beta testing among NCSA staff before public release.

• [Weddie] Make the public announcement.

TeraGrid Test Plan

1. Get complete list of login nodes from TeraGrid user portal
2. Attempt GSI-SSHTERM login to each node.
3. Open a ticket for every failure by emailing help@teragrid.org and record failure here.

See GSI-SSHTerm Testing for test connections to various TeraGrid machines.

CVS

A CVS repository for the gsi-sshterm project has been created. A "vendor branch" was imported for the project.

To check out the code:

   export CVSROOT=":ext:username@cvs.ncsa.uiuc.edu:/CVS/gsi-sshterm"
   cvs -q co sshtools

There is a document "cvsvendorbranch.html" I created to show the commands I used when importing the vendor branch as well as the documentation I consulted to create the vendor branch.

To build and distribute:

  1. Make sure ant is installed and configured properly.
  2. Checkout or place the source code on a case sensitive filesystem (Mac's w/ HFS+ will not suffice)
  3. Change to the directory with the build.xml file.
  4. Type "ant -Dmyproxy=ncsa" (without the quotes).
  5. Type "ant -Dmyproxy=teragrid".
  6. Change into the "release-jws" directory.
  7. Copy all files to the grid.ncsa.uiuc.edu website in the "gsi-sshterm" directory. 
     For example, connect to tungsten.ncsa.uiuc.edu and copy the files to the directory
     /afs/ncsa.uiuc.edu/web/grid.ncsa.uiuc.edu/htdocs/gsi-sshterm/. 

Terry Fleury <tfleury -at- ncsa.uiuc.edu>