Created attachment 1299264 [details] actual result, gsissh log with f26 build Description of problem: globus ssh is not working in current openssl1.1. Version-Release number of selected component (if applicable): openssl 1.1 How reproducible: Everytime Steps to Reproduce: 1. install globus toolkit for fedora 26 2. grid-proxy-init 3. gsissh to server Actual results: the log file is added as gsissh_from_f26 Expected results: the log file is added as gsissh_from_f25 Additional info: I am lucky that the globus maintainer is my colleague, so I mailed him personally. He told me the reason: "The issue here is that Fedora 26 uses openssl 1.1. The original message integrity checking (MIC) algorithm used in GSI could not be ported to openssl 1.1 since it was using information that is now hidden inside opaque data structures in the new openssl. As part of the porting of the Globus Toolkit to openssl 1.1, a new MIC algorithm was written (MICv2) by the Globus Toolkit developers. If you are compiling Globus against openssl 1.1, only the new MIC is available. When compiling against openssl 1.0 both are available, and when compiling against the old openssl 0.9.8 only the old MIC is available. In the log the server identifies itself as "GSI_GSSAPI_20160606". This version only supports the old MIC. Support for the new MIC was added in the version labelled "GSI_GSSAPI_20161122". So for a client running on Fedora 26, which has openssl 1.1 and therefore does not support the old MIC, to be able to connect to a server, the server must run GSI_GSSAPI_20161122 or later, which the server you are trying to connect to does not do. I hope you will be able to contact the administrators of the server and ask them to update the server to a newer version. The server needs to have openssl 1.0 or later and a Globus Toolkit version from around November 2016 or later to support the new MIC. I hope it is not running something really old like RHEL 5, which was using openssl 0.9.8." Now, I mailed this to europe wide supercomputer facility(http://www.prace-ri.eu/prace-in-a-few-words/), and from support, I realize that, the upgradation will take time: Reply 1: > the Globus Toolkit stack was upgraded to the latest stable release on > Salomon yesterday (Wednesday May 18th). > You can try now if your latest version of GT on Fedora with MICv2 > works against it. > Salomon uses OpenSSL version openssl-1.0.1e-42.el6_7.4 (coming > directly from RHEL 6.7) and GT is compiled against it. And Final: I'm afraid that we'll have to keep you using the downgraded Globus Toolkit on your system. Seems, that the situation will eventually change after we upgrade to RHEL 7, but we'll have to check it then. Currently we don't plan to upgrade Salomon to RHEL 7.x sooner then next year. It mainly depends on the support matrix of our SW/driver stack (we have a combination of the vendors mgmt. system, IB OFED, Intel Phi's MPSS and Lustre). It is understandable from both Mattias and prace maintainers point. Currently I am living with globus from f25, but it wont be avalable after f27. So, I propose to maintain openssl 1.0 as well.
Created attachment 1299266 [details] gsissh log from f25 build
gsi-openssh-7.5p1-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7c4eceda05
gsi-openssh-7.5p1-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7c4eceda05
gsi-openssh-7.5p1-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.