GSI SSH command line tool


Linux users can install the command line GSI SSH client from package repositories, provided by the Globus Toolkit developers or by EGCF (European Globus Community Forum). Both APT and RPM based repositories are taken into account, with some minor differences. On an APT platform, the correct package to install is gsi-openssh-client while on RPM systems the target to use is gsi-openssh. In the latter case the GSI SSH daemon will be installed too. It is also advisable to retrieve the myproxy package in order to complete the set of tools needed to manage user’s grid identity.

EGCF also prepared a package distribution for Apple’s Macintosh OS X. The whole Globus Toolkit is bundled, including the GSI SSH and the MyProxy clients.

All other Unix platforms, together with Linux distributions for wich a packaged version does not exist, are supported via compilation of the source code.

Proxy creation

GSI SSH clients do not use directly user’s personal certificate. They rather rely on a proxy certificate, a time limited credential generated from the original one.

The cammand to enter in a shell in order to obtain a proxy certificate is


If the user certificate has been properly set up, then it is only necessary to enter the password chosen to protect the private key or the PKCS12 bundle.

The GSI SSH protocol has a single sign on feature. Each time it is used to obtain interactive access to a system, a new proxy certificate is created on the new system (signed by the proxy used to access the system). You can display the status of your proxy certificate with grid-proxy-info. Since it is available on the target system, it is not necessary to create a new one nor to move the original certificate. Any tool requiring a proxy certificate can be used right away.

Finally, it is also worth mentioning that a user can save online a proxy on one of the MyProxy servers managed by PRACE partners and retrieve it at any time. The MyProxy service is documented in this section of the documentation.


The basic syntax of the command line GSI SSH tool is failry easy:

gsissh <target system> -p <target port>

In order to find out the correct URL to use as <target system>, please refer to the PRACE Door Nodes list, to the PRACE resources catalogue or to any information provided by the Home or Execution sites.

The default <target port> the client tries to connect to is 22, while on most PRACE resources the service is located on port 2222. It is possible to change this behaviour, avoiding to specify the -p flag each time the command is invoked. It is necessary to add, uncomment or modify the entry Port 2222 in the file /etc/gsissh/ssh_config on the machine where the client is executed. The access to the configuration file could require administrative privileges.