[ogsa-wg] [SECURITY-AREA] Authentication in OGSA

Marty Humphrey humphrey at cs.virginia.edu
Mon Jan 22 07:11:43 CST 2007 

Alan,

We have had discussions in the HPC Profile WG on this topic, and we believe
that the approach taken by the HPC Profile WG  (reflected in the "Security
Considerations for the HPC Profile" doc you reference) is the correct one to
appropriately meet the requirements of the use-cases that we have
identified. I admire the goals of your larger effort, but I believe that our
HPC Profile WG needs to remain focused on putting the final touches on the
HPC Basic Profile so that it can enter the OGF document/standardization
process. 

I believe that our WG has done an excellent job of creating a modular,
evolutionary design that properly balances more "long-term" concerns against
the constraints of existing and not-too-far-off-in-the-future commercial and
open-source tooling. I also believe the current drafts in the HPC Profile WG
reflect a broad balance of current and future academic and commercial
interests. 

You'll note that in the HPC Profile, there are essentially TWO options for
client-side authentication: X.509 and username/password. Clearly
organizations can mandate the X.509 approach if they desire, but entirely
eliminating username/password authentication as an option would further
unnecessarily separate "The Grid folks" from mainstream commercial
approaches and efforts. 

Good luck with your WG efforts - we are certainly open to utilizing the
results of your efforts in a subsequent revision of the HPC Profile. Given
our HPC Profile's time constraints and deadlines, I believe that we need to
stick with our current approach and drafts.

Regards,
Marty 

-----Original Message-----
From: security-area-bounces at ogf.org [mailto:security-area-bounces at ogf.org]
On Behalf Of Alan Sill
Sent: Monday, January 22, 2007 3:19 AM
To: Andrew Grimshaw
Cc: OGSA Authentication WG BoF; security-area at ogf.org; ogsa-wg at gridforum.org
Subject: Re: [SECURITY-AREA] [ogsa-wg] Authentication in OGSA

Hi Andrew and the OGSA-WG,

I apologize for missing the meeting last Thursday on this topic.  We have a
machine full of new cluster and grid equipment, and I have been fully
occupied commissioning and configuring it.

I am afraid that I differ rather strongly with the direction being taken
with regard to the HPC profile at this stage.  My view is strongly that
simple username/password login, even SSL secured, is quite demonstrably
insufficiently secure to deploy as a model for authentication and access to
high performance computing.  I disagree fairly strongly that any sort of
stop-gap of this nature should be written into the HPC profile, distributed
or promoted at this time.

I have an excuse for having taken so long to reply on this topic.  It was
necessary for me to investigate as thoroughly as possible the current state
of deployment of GSI-secured alternatives to username/ password login and to
do so in a way that would allow me to give a credible response to all of you
regarding the state of the art on this topic.

At this point I am assured and feel sufficiently confident to proceed,
either at OGF-19 or before, with Andrew, Marty, and whoever else would like
to participate on a revision of the HPC profile that would cover more secure
basic access to high performance cluster and storage systems based on
GSIOpenSSH and similar software that uses either GT4 or an equivalent
callout.  We are writing standards, not implementations, but I wished to be
sure that the state of the art on existing implementations would be
consistent with making this recommendation.

It is essential from my point of view to promote secure access to HPC
resources.  As the bulk of the compromise attacks that have been successful
over the past 2 to 3 years on HPC resources has been through discovery and
reuse of username/password combinations from ordinary users (at least as I
read the recent record), I think that now is not the right time to propose
backing off from the use of  
strong cryptographic methods to use HPC resources in grid settings.   
The use of strong cryptography does not have to be limited to X.509 "pure
classic" PKI, and I look forward to an active discussion on federated
identity and related topics to be held at the OGF meeting next week.  It is
clear to me that recent improvements to the availability and technology for
authentication, authorization and attribute transmission will make many
modes of access to grid resources possible with appropriate security that up
to now have been either impossible or confined to limited implementation.

For the moment, I would like to suggest that a revision of the HPC profile
propose that "only GSI or equivalently secure architectures be used for
direct access to HPC resources" and that the document be revised
specifically to discourage the direct access by users to highly capable
computational and to secure storage resources by username/password
mechanisms.  In my own project, we use GSI-OpenSSH via grid-mapfiles.  I
have been able to confirm that current implementations of GSI-OpenSSH are
capable of interoperating with more general callout-based systems, including
attribute-based AuthZ systems, without modification.  Therefore it is not
necessary for users to have username/password access if direct login is
needed on an HPC system.

As a further enhancement to the document and to the profile, I feel it would
be useful to describe architectures for pure-computational (i.e., batch-only
access), for pure-login (i.e., front-end and submission access),
pure-storage (i.e., stage-in/stage-out and related data handling) and for
the interesting use case of "managed fork" (i.e., interactive but sand-boxed
grid access) systems.  I believe these changes would result in an improved
HPC profile that would be of better total usability within the HPC
community.  This document is NOT attached, instead your original one is for
discussion, but I believe can be worked out in the context of discussions to
be held at OGF-19 next week.

Sorry for being (apparently but not really) strident, but I believe the
above reflects current best practices better than recommending
username/password support for direct login to HPC systems.  I would not
personally be able to support the current draft as written.

Thanks and best wishes,
Alan

On Jan 18, 2007, at 2:16 PM, Andrew Grimshaw wrote:

> All,
>
> On this mornings call I volunteered to see what was up with the HPC 
> profile working group with respect to authentication.  Recall that we 
> need some sort of authentication story in the short run or we cannot 
> put together any form or realistic, cross-organizational, compute 
> grids with BES, or for that matter data grids using RNS/ ByteIO.
>
>
>
> Attached is a short white paper from the HPC Profile WG (or maybe just 
> the three authors). It is BES-specific, but I think the ideas may be 
> generalized to a broader set of OGSA services. I think we should 
> consider it, or something like it.
>
>
>
> Note that it does NOT deal with the ultimate authentication and 
> delegation problem that we will face. Rather, I personally (speaking 
> only for myself, and not even the people in my research
> group) think that this sort of solution is a stop gap that we can use 
> for awhile, and that we will ultimately deprecate in favor of whatever 
> comes out of the OGSA-Authentication WG.
>
>
>
> So, for your reading pleasure - and with my thanks to Marty for giving 
> me a copy.
>
>
>
> A
>
>
>
>
>
>
>
> Andrew Grimshaw
>
> Professor of Computer Science
>
> University of Virginia
>
> 434-982-2204
>
> grimshaw at cs.virginia.edu
>
>  --
>
>   ogsa-wg mailing list
>   ogsa-wg at ogf.org
>   http://www.ogf.org/mailman/listinfo/ogsa-wg

More information about the ogsa-wg mailing list