How can I access Globus services using a command line interface?

Globus CLI is a standalone application that provides a command line interface to Globus services, both the Transfer and Auth services. More information on the CLI is available here.

Globus also has a legacy hosted CLI, which provides a restricted shell that users can log into and access the Globus transfer service. More information on the legacy hosted CLI is available here.

What is an SSH key? Why do I need one?

An SSH key is a security credential that is used to confirm your identity to Globus when you access the file transfer service via the legacy hosted CLI. In order to login to the legacy hosted CLI, you must have a valid public SSH key (or an X.509 certificate) in your profile.

How do I add an SSH key to my Globus account?

Note:If you don’t already have an SSH key, instructions for creating one are available here for Mac OSX, Linux, and Windows systems.
  1. Go to

  2. Sign in with your Globus ID account and select "manage SSH and X.509 keys".

  3. Click "Add a New Key".

  4. Enter a descriptive name in the "Alias" field.

  5. Select "SSH Public key" and copy & paste your public key into the "body" field. Note: On a Mac OS X or Linux/Unix system, your key is usually found in ~/.ssh/

  6. Click "Add Key" to save.

It will take a few minutes for the SSH key to propagate through the system. You may then access the legacy hosted CLI by typing:

$ ssh <my_globus_id_user_name>

For more information about the legacy hosted CLI, see the Using the Legacy CLI guide.

How do I generate an SSH key to use with the Legacy CLI?

Mac OSX/Linux/Unix

The ssh-keygen command is used to create keys. There are many options for it. We recommend that you run it this way:

$ ssh-keygen -t rsa -b 2048

This will create and store both your public and private keys in your ~/.ssh directory. It will overwrite any existing keys as well. To generate these keys, simply type ssh-keygen -t rsa -b 2048 and follow the prompts. To install the keys to the default location, just press enter when prompted for a file name. We strongly encourage the use of a passphrase.

Some machines may put these files in a different spot. If this is the case, make a note of where it puts them and what it names them. The is your public key and the id_rsa (and, if they exist, id_dsa or identity) file is your private key.

Windows Systems


Simply generate your key by clicking "Tools", then "Generate Public Key". Follow the prompts (RSA keys are fine, despite what the text above the selection box says). We strongly encourage the use of a passphrase.

2048 is an adequate key length. Make note of where it’s installing the key. It is probably something like:

C:\Documents and Settings\USERNAME\Application Data\VanDyke\Identity

If you upgraded from an old version, it might be:

C:\Documents and Settings\USERNAME\Application Data\Van Dyke Technologies\Identity

Say "Yes" to the global public key question.

Now, the tricky part. SecureCRT stores your public key in a funky format. You have a few options to get it into the format you need, do any one of the below.

  • Use Berkeley’s SSH-key converter - quick and easy.

  • Copy the public key ( to a machine that has OpenSSH installed and run: ssh-keygen -i -f >

Now, make SecureCRT use the key.

  • Click "File" then "connect", and for each existing entry, in the list (or for new ones you add) click the "Properties" button (it looks like a hand holding a card).

  • In the Authentication section under "Connection", change "Primary" to be "PublicKey". Choose "Properties" and make sure it’s using your global file.

  • Click "Options", "Global Options", and under SSH2 heading, check both boxes in the "Agent" section.

Now, the first SecureCRT session you open will ask the passphrase for the key you generated, and any subsequent ones will not (as long as SecureCRT is running.)

Note:If you converted a previously SSH1 session to use SSH2, check your port forwarding configuration. It may have been messed up. The checkbox for local IP address restrictions should be unchecked. If it’s not, uncheck it.


If you would like to use PuTTY as your ssh client, the first thing you should do is download the latest client. We have found that various older versions create odd problems when trying to use version2 keys. It only takes 10 seconds - no fancy installer, no rebooting.

Close any current PuTTY connections, move the current PuTTY executable (putty.exe) to the recycle bin, and download a new putty.exe from here. Your current preferences and saved connections will not go away. When you open the new PuTTY, all those things will still be there.

While you are grabbing the latest client, also grab PuTTYgen (puttygen.exe), which is the tool you will use to generate a new ssh key pair.

After downloading PuTTYgen, double-click on the PuTTYgen icon. At the very bottom of the dialog box, there is a section called "Parameters". Under "Type of key to generate:", click the radio button for "SSH2 RSA". You should set the "Number of bits in a generated key:" at the default value of 2048 or higher.

How do I Connect to the Hosted CLI (Legacy) using GSI SSH?

To use GSI SSH you need to configure your Globus profile with the X.509 Certificate that you will use to login.

Adding an X.509 certificate to a Globus account

  1. Sign in to your Globus account.

  2. Click here to go to the Manage Identities page.

  3. Click "add linked identity".

  4. Click "Add an X.509 Credential".

  5. Copy and paste the contents of your certificate PEM file (NOT your private key). Note that proxy certificates are not supported. Optionally, enter an identifying label.

  6. Click "Submit" to save

To find your PEM file, run grid-proxy-info at a command prompt. This will print the "path" of your certificate PEM file (e.g. /tmp/x509up_u502), as well as the "type". Make sure that the "type" is "end entity credential", and not some form of proxy. Note that many certificates fetched via the myproxy-logon command are still end entity credentials and can be used for this purpose. List the contents of this file, and then copy and paste the portion of the file between, and including, the lines: —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

Activating an Endpoint

You can use GSI SSH to activate the endpoint. Once your account is configured, you can use the endpoint-activate command to activate the endpoint — refer to to the Legacy CLI tutorial for more details on using GSI SSH.

Why don’t I see any information when running the "details" and "events" commands?

This may be related to multiple transfers running simultaneously. If you issue multiple transfer requests, note that only three requests will be running simultaneously at any one time. The remaining transfers will be queued and start moving data as soon as another active transfer completes.

Why do I see "Permission denied" when accessing the Hosted CLI (Legacy)?

This is usually the result of missing information in your Globus profile. In order to use the legacy hosted CLI interface you will need to add your SSH public key to your Globus account. Please see the FAQ entry for information on how to add your key.

© 2010- The University of Chicago Legal