[ogsa-wg] [SECURITY-AREA] Authentication in OGSA
Alan Sill
Alan.Sill at ttu.edu
Mon Jan 22 08:46:35 CST 2007
Hi Marty,
Thank you for your response. I look forward to a healthy discussion
on these and related topics in the future.
Please note that my remarks were and are confined to the use case of
grid services access to high performance computing clusters and
related highly vulnerable resources, and should not be taken as a
condemnation of username/password access in general.
I am excited and hopeful about the range of choices for delivery of
grid services to users across a range of needs for levels of
assurance. I strongly believe that the path that has been taken up
to now for delivery of HPC resources through grid methods through X.
509 and related technologies has been wise, and that it is unwise to
write a profile for HPC that encourages the use of unadorned username/
access methods. We have seen compromises through these means in
several cases. I think the path forward for this use case is in fact
towards a higher level of assurance of identity than is possible with
simple username/password access, and strongly discourage inclusion of
this method in the HPC profile, at least for direct logon to shell
resources. While this may be the practice for non-grid services and
may be suitable for delivery of access to other vehicles, it is NOT
the practice for current grid-enabled logons at present and I believe
the HPC group is off track in encouraging it. This is, however, just
my opinion.
With best wishes,
Alan
On Jan 22, 2007, at 7:11 AM, Marty Humphrey wrote:
> Alan,
>
> We have had discussions in the HPC Profile WG on this topic, and we
> believe
> that the approach taken by the HPC Profile WG (reflected in the
> "Security
> Considerations for the HPC Profile" doc you reference) is the
> correct one to
> appropriately meet the requirements of the use-cases that we have
> identified. I admire the goals of your larger effort, but I believe
> that our
> HPC Profile WG needs to remain focused on putting the final touches
> on the
> HPC Basic Profile so that it can enter the OGF document/
> standardization
> process.
>
> I believe that our WG has done an excellent job of creating a modular,
> evolutionary design that properly balances more "long-term"
> concerns against
> the constraints of existing and not-too-far-off-in-the-future
> commercial and
> open-source tooling. I also believe the current drafts in the HPC
> Profile WG
> reflect a broad balance of current and future academic and commercial
> interests.
>
> You'll note that in the HPC Profile, there are essentially TWO
> options for
> client-side authentication: X.509 and username/password. Clearly
> organizations can mandate the X.509 approach if they desire, but
> entirely
> eliminating username/password authentication as an option would
> further
> unnecessarily separate "The Grid folks" from mainstream commercial
> approaches and efforts.
>
> Good luck with your WG efforts - we are certainly open to utilizing
> the
> results of your efforts in a subsequent revision of the HPC
> Profile. Given
> our HPC Profile's time constraints and deadlines, I believe that we
> need to
> stick with our current approach and drafts.
>
> Regards,
> Marty
>
> -----Original Message-----
> From: security-area-bounces at ogf.org [mailto:security-area-
> bounces at ogf.org]
> On Behalf Of Alan Sill
> Sent: Monday, January 22, 2007 3:19 AM
> To: Andrew Grimshaw
> Cc: OGSA Authentication WG BoF; security-area at ogf.org; ogsa-
> wg at gridforum.org
> Subject: Re: [SECURITY-AREA] [ogsa-wg] Authentication in OGSA
>
> Hi Andrew and the OGSA-WG,
>
> I apologize for missing the meeting last Thursday on this topic.
> We have a
> machine full of new cluster and grid equipment, and I have been fully
> occupied commissioning and configuring it.
>
> I am afraid that I differ rather strongly with the direction being
> taken
> with regard to the HPC profile at this stage. My view is strongly
> that
> simple username/password login, even SSL secured, is quite
> demonstrably
> insufficiently secure to deploy as a model for authentication and
> access to
> high performance computing. I disagree fairly strongly that any
> sort of
> stop-gap of this nature should be written into the HPC profile,
> distributed
> or promoted at this time.
>
> I have an excuse for having taken so long to reply on this topic.
> It was
> necessary for me to investigate as thoroughly as possible the
> current state
> of deployment of GSI-secured alternatives to username/ password
> login and to
> do so in a way that would allow me to give a credible response to
> all of you
> regarding the state of the art on this topic.
>
> At this point I am assured and feel sufficiently confident to proceed,
> either at OGF-19 or before, with Andrew, Marty, and whoever else
> would like
> to participate on a revision of the HPC profile that would cover
> more secure
> basic access to high performance cluster and storage systems based on
> GSIOpenSSH and similar software that uses either GT4 or an equivalent
> callout. We are writing standards, not implementations, but I
> wished to be
> sure that the state of the art on existing implementations would be
> consistent with making this recommendation.
>
> It is essential from my point of view to promote secure access to HPC
> resources. As the bulk of the compromise attacks that have been
> successful
> over the past 2 to 3 years on HPC resources has been through
> discovery and
> reuse of username/password combinations from ordinary users (at
> least as I
> read the recent record), I think that now is not the right time to
> propose
> backing off from the use of
> strong cryptographic methods to use HPC resources in grid settings.
> The use of strong cryptography does not have to be limited to X.509
> "pure
> classic" PKI, and I look forward to an active discussion on federated
> identity and related topics to be held at the OGF meeting next
> week. It is
> clear to me that recent improvements to the availability and
> technology for
> authentication, authorization and attribute transmission will make
> many
> modes of access to grid resources possible with appropriate
> security that up
> to now have been either impossible or confined to limited
> implementation.
>
> For the moment, I would like to suggest that a revision of the HPC
> profile
> propose that "only GSI or equivalently secure architectures be used
> for
> direct access to HPC resources" and that the document be revised
> specifically to discourage the direct access by users to highly
> capable
> computational and to secure storage resources by username/password
> mechanisms. In my own project, we use GSI-OpenSSH via grid-
> mapfiles. I
> have been able to confirm that current implementations of GSI-
> OpenSSH are
> capable of interoperating with more general callout-based systems,
> including
> attribute-based AuthZ systems, without modification. Therefore it
> is not
> necessary for users to have username/password access if direct
> login is
> needed on an HPC system.
>
> As a further enhancement to the document and to the profile, I feel
> it would
> be useful to describe architectures for pure-computational (i.e.,
> batch-only
> access), for pure-login (i.e., front-end and submission access),
> pure-storage (i.e., stage-in/stage-out and related data handling)
> and for
> the interesting use case of "managed fork" (i.e., interactive but
> sand-boxed
> grid access) systems. I believe these changes would result in an
> improved
> HPC profile that would be of better total usability within the HPC
> community. This document is NOT attached, instead your original
> one is for
> discussion, but I believe can be worked out in the context of
> discussions to
> be held at OGF-19 next week.
>
> Sorry for being (apparently but not really) strident, but I believe
> the
> above reflects current best practices better than recommending
> username/password support for direct login to HPC systems. I would
> not
> personally be able to support the current draft as written.
>
> Thanks and best wishes,
> Alan
>
> On Jan 18, 2007, at 2:16 PM, Andrew Grimshaw wrote:
>
>> All,
>>
>> On this mornings call I volunteered to see what was up with the HPC
>> profile working group with respect to authentication. Recall that we
>> need some sort of authentication story in the short run or we cannot
>> put together any form or realistic, cross-organizational, compute
>> grids with BES, or for that matter data grids using RNS/ ByteIO.
>>
>>
>>
>> Attached is a short white paper from the HPC Profile WG (or maybe
>> just
>> the three authors). It is BES-specific, but I think the ideas may be
>> generalized to a broader set of OGSA services. I think we should
>> consider it, or something like it.
>>
>>
>>
>> Note that it does NOT deal with the ultimate authentication and
>> delegation problem that we will face. Rather, I personally (speaking
>> only for myself, and not even the people in my research
>> group) think that this sort of solution is a stop gap that we can use
>> for awhile, and that we will ultimately deprecate in favor of
>> whatever
>> comes out of the OGSA-Authentication WG.
>>
>>
>>
>> So, for your reading pleasure - and with my thanks to Marty for
>> giving
>> me a copy.
>>
>>
>>
>> A
>>
>>
>>
>>
>>
>>
>>
>> Andrew Grimshaw
>>
>> Professor of Computer Science
>>
>> University of Virginia
>>
>> 434-982-2204
>>
>> grimshaw at cs.virginia.edu
>>
>> --
>>
>> ogsa-wg mailing list
>> ogsa-wg at ogf.org
>> http://www.ogf.org/mailman/listinfo/ogsa-wg
>
>
Alan Sill, Ph.D
TIGRE Senior Scientist, High Performance Computing Center
Adjunct Professor of Physics
TTU
====================================================================
: Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 :
: e-mail: Alan.Sill at ttu.edu ph. 806-742-4350 fax 806-742-4358 :
====================================================================
More information about the ogsa-wg
mailing list