More tidbits:
"Globus toolkit 6" implements the grid security infrastructure. [1] It includes a modified version of openssh (which accepts PKI certificates) and a per-machine DN-to-local-user mapping file. RPMs have been released for Fedora 19/20 and RHEL/Centos 5,6,7.
As I understand it, grid logins are via proxy certificates which are derived from your end-entity-certificate and have a limited life. These are managed by myproxy, which can leverage Kerberos authentication on local identities to control release of keys [2].
Positing a cluster using FreeIPA/sssd for local user management, which is running GSI-enabled openssh, would sssd have an opportunity to map DNs to local users (and potentially centralize this mapping by referring to an LDAP server)? Likewise, would sssd have an opportunity to obtain a Kerberos ticket for the local user via S4Uself/proxy based on a successful PKI authentication?
Sorry for having this trickle in slowly. I'm playing catchup here.
Bryce
[1] http://toolkit.globus.org/toolkit/docs/6.0/admin/quickstart/#quickstart [2] http://grid.ncsa.illinois.edu/myproxy/pam.html#krb5
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.