XSEDE Canonical Use Case 4 Interactive Login

Similar documents
GSI Online Credential Retrieval Requirements. Jim Basney

Guidelines on non-browser access

NOTIFICATION OF CHANGE PURPOSE OF THIS DOCUMENT:...2 REASON FOR THE UPGRADE...2 SYSTEM REQUIREMENT:...2 FIRST TIME ACCESS:...

UGP and the UC Grid Portals

ConnectUPS-X / -BD /-E How to use and install SSL, SSH

Using the MyProxy Online Credential Repository

X-WAVE Canonical Use Case 3 Remote File Access Level 3 Version 0.92

X-WAVE Canonical Use Case 1 Run A Remote Job Level 3 Version 0.94

Common Report Engine Leipzig. Ref. 0003

XSEDE Iden ty Management Use Cases

Your use of AirUWS-Lite is subject to the University s IT Acceptable Use of Resources Policy.

Configure Settings and Customize Notifications on FindIT Network Probe

User Directories. Overview, Pros and Cons

Configuring SSH and Telnet

Webthority can provide single sign-on to web applications using one of the following authentication methods:

SSH with Globus Auth

Radius, LDAP, Radius used in Authenticating Users

Clientless SSL VPN Remote Users

NoMachine NX Client Configuration Guide

Quintiles JReview Customer Access Guide. Version Number: 11. Document Version:

CPSC 467: Cryptography and Computer Security

Credentials Management for Authentication in a Grid-Based E-Learning Platform

3.1 Getting Software and Certificates

Create and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN

XSEDE Software and Services Table For Service Providers and Campus Bridging

Evaluation Guide Host Access Management and Security Server 12.4

Clientless SSL VPN End User Set-up

UNIT 5 MANAGING COMPUTER NETWORKS LEVEL 3 NETWORK PROTOCOLS

Sagem Orga Strong, Global, Innovative.

Lotus IBM Lotus Notes Domino 8 Developing Web Applications. Download Full Version :

XSEDE Software and Services Table For Service Providers and Campus Bridging

CPSC 467b: Cryptography and Computer Security

Configuring Proxy Settings. STEP 1: (Gathering Proxy Information) Windows

Configure WSA to Upload Log Files to CTA System

Application Notes for CounterPath Bria Mobile with Avaya Aura Presence Services Snap-in running on Avaya Breeze TM Platform- Issue 1.

UNIVERSITY OF CYPRUS Computer Science Department

Connect to Wireless, certificate install and setup Citrix Receiver

Evaluation Guide Host Access Management and Security Server 12.4 SP1 ( )

Hosted Microsoft Exchange Client Setup & Guide Book

BR*Tools Studio 7.10 for Oracle Multi-instance Server Standalone Part 2: Server, Database Instances and their Users

MULTI FACTOR AUTHENTICATION USING THE NETOP PORTAL. 31 January 2017

VII. Corente Services SSL Client

Security Assertions Markup Language

Configure WSA to Upload Log Files to CTA System

Client 2. Authentication 5

Configuring SSH and Telnet

Pulse Secure Desktop Client

Skandocs Installation and Connectivity Guide What you need to know to successfully utilise the Internet connectivity in Skandocs

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Cryptography Application : SSH. Cyber Security & Network Security March, 2017 Dhaka, Bangladesh

Security in Confirmit Software - Individual User Settings

All about SAML End-to-end Tableau and OKTA integration

Oracle Utilities Opower Solution Extension Partner SSO

Installing and Configuring Extension Mobility Using Either: Extended Services 2.2; CRA 2.2 or CRS 3.0(2) and CallManager 3.2

Troubleshooting Guide ir Advance Series

Configuring Local Authentication and Authorization

ProxyCap Help. Table of contents. Configuring ProxyCap Proxy Labs

Managing GSS User Accounts Through a TACACS+ Server

XSEDE Architecture Level 3 Decomposition

Configuring Secure Shell (SSH)

Radius, LDAP, Radius, Kerberos used in Authenticating Users

UNT System Campus VPN Guide

Getting Started with XSEDE. Dan Stanzione

Configuring 802.1X Authentication Client for Windows 8

Safeguarding Cardholder Account Data

FUEGO 5.5 WORK PORTAL. (Using Tomcat 5) Fernando Dobladez

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Connect to Wireless, certificate install and setup Citrix Receiver

Welcome to the e-learning course for SAP Business One Analytics Powered by SAP HANA: Installation and Licensing. This course is valid for release

Hardware Tokens in META Centre

Alliance Key Manager AKM for AWS Quick Start Guide. Software version: Documentation version:

Identity Provider for SAP Single Sign-On and SAP Identity Management

Tenable Common Criteria Evaluated Configuration Guide. October 29, 2009 (Revision 4)

Configuring Switch-Based Authentication

The Rockefeller University I NFORMATION T ECHNOLOGY E DUCATION & T RAINING. VPN Web Portal Usage Guide

Xcalar Installation Guide

XSEDE Architecture Overview

User Authentication Principles and Methods

How to open ports in the DSL router firmware version 2.xx and above

Configuring the Management Interface and Security

Help Document Series: Connecting to your Exchange mailbox via Outlook from off-campus

One Identity Management Console for Unix 2.5.1

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Deploying the TeraGrid PKI

How to Set Up External CA VPN Certificates

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Affinity Provider Portal Training Manual

FortiNAC. Aerohive Wireless Access Point Integration. Version 8.x 8/28/2018. Rev: E

WAM!NET Submission Icons. Help Guide. March 2015

Certificate Enrollment for the Atlas Platform

One Identity Defender 5.9. Product Overview

A VO-friendly, Community-based Authorization Framework

Numerics. Index 1. SSH See SSH. connection inactivity time 2-3 console, for configuring authorized IP managers 11-5 DES 6-3, 7-3

SSL VPN User Guide. Access Manager Appliance 3.2 SP2. June 2013

How to Configure SSH Tunnel in Remote Desktop Manager

AT&T Global Network Client for Mac User s Guide Version 2.0.0

System Requirements. Network Administrator Guide

The SafeNet Security System Version 3 Overview

Licensing the Application CHAPTER

Transcription:

XSEDE Canonical Use Case 4 Interactive Login Architectural Response Table of Contents Contents Introduction Structure of this Document Canonical Use Case 4 Architectural Response Quality of Service Attributes CAN4.a No unencrypted passwords over the network CAN4.b Standard web browser CAN4.c SSHv2 client CAN4.d Reattach session Introduction This document describes the realization of Canonical Use Case 4, Interactive Login, using the XSEDE XUAS architectural components. See http://hdl.handle.net/2142/46550 for the use cases. It is assumed that the reader has already read and is familiar with the XSEDE Architecture Level 3 Decomposition (L3D), in particular 3 (Access Layer). The authors suggest that this document be open or on hand when reading this document. Structure of this Document This document comprises two sections. 2 reviews the interactive login use case and 3 describes how the XSEDE components are used to implement the use case from 2. last saved: Tuesday, May 20, 2014 1

Canonical Use Case 4 Canonical use case 4 is Interactive login. The description is An XSEDE user establishes an interactive login session on an SP operated login service. The use case starts with a number of assumptions, specifically: 1. The User is aware of the existence of and name of a specific XSEDE SP operated login service. 2. The User is authorized to use the SP operated login service. 3. The User has access to the Internet. 4. The User has authenticated to XSEDE per UCCAN 6. 5. The User has prepared his/her local workstation to support remote graphical applications (e.g., running an X server). The use case is simple: the user needs to gain access to a login shell on a specific SP operated login service, and needs to do so using his/her XSEDE identity (as opposed to a separate local username and password on the login server). As explained by the quality attributes, the user must be able to accomplish this task using either a standard web browser or a standard SSHv2 client. In addition to obtaining access to the login shell, the user may also need to be able to run programs on the login host that are, in turn, able to open graphical interfaces on the user s local display. Table 1 lists the quality attributes for the use case. There are no variations. Table 1: Interactive login use case quality attributes UCCAN 4.0 Interactive login QAS CAN4.a QAS CAN4.b QAS CAN4.c QAS CAN4.d The implementation should never require that an unencrypted password be transmitted over a network. The user must be able to complete this use case using a standard web browser. The user must be able to complete this use case using a standard SSHv2 client. If the login shell session is lost for some reason, the user must be able to reattach to the session after a reconnection. last saved: Tuesday, May 20, 2014 2

Architectural Response Assume that 1. The User is aware of the existence of and name of a specific XSEDE SP operated login service. 2. The User is authorized to use the SP operated login service. 3. The User has access to the Internet. 4. The User has authenticated to XSEDE per UCCAN 6. 5. The User has prepared his/her local workstation to support remote graphical applications (e.g., running an X server). 6. The SP has installed and configured the GSI enabled SSH service (GSI OpenSSH s sshd or an interoperable equivalent) as described in [L3D 8.1.3]. Access via XSEDE User Portal (XUP) Access to XSEDE login services via web browser is supported via the XUP, making use of XSEDE s common identification and authentication services and the GSI enabled SSH services on each login server. When a user logs into the XUP, the XUP uses XSEDE s Kerberos services [L3D 7.1.2.1] to authenticate the user. The XUP then uses XSEDE s MyProxy service [L3D 7.1.2.2] to obtain a short lived X.509 proxy credential for the user, which it stores on the XUP servers. The XUP interface allows the user to list XSEDE HPC and HTC services that he/she is authorized to use. Clicking a link next to one of these services downloads a Java applet GSI SSH client to the user s local browser environment. (NOTE: The browser must support Java to use this applet.) The Java GSI SSH client runs in the user s browser and obtains a delegated proxy credential [L3D 7.1.2] for the user from the XUP web server. It then uses that credential to authenticate to the selected login service via SSHv2 with X.509 authentication [L3D 7.3.5] and presents the user with an interactive shell on the login server. Access via SSHv2 Client Access to XSEDE login services via SSHv2 client is supported via the XSEDE login service [L3D 3.2.6]. If the user is using a graphical SSH interface, he/she connects to login.xsede.org and authenticates using his or her XSEDE userid and password. The login.xsede.org SSH service uses XSEDE s MyProxy service [L3D 7.1.2.2] to authenticate the user and obtain a short lived X.509 proxy credential, which it stores locally. It then presents the user with a restricted login shell that allows the user to ssh to any of XSEDE s SP operated login services, at which point the ssh client and service perform X.509 authentication using the proxy credential stored last saved: Tuesday, May 20, 2014 3

previously. The user does not need to provide his/her userid and password again. If the user is using a command line SSH interface, this procedure can be further simplified using the following syntax. ssh l userid login.xsede.org ssh login server hostname This approach performs the same protocol and authentication transactions described above, but accomplishes it for the user in a single step. Quality of Service Attributes CAN4.a No unencrypted passwords over the network The architectural response above offers two ways to establish a shell: (1) via a Web browser and the XUP, and (2) via an SSHv2 client and the XSEDE login service. When using a Web browser, the user authenticates to the XUP using a secure HTTP connection (https) and his or her password is encrypted via the TLS session key. The authentication mechanisms between the XUP and the XSEDE Kerberos service and MyProxy service (covered in UCCAN 6) are fully encrypted and do not involve passing a user s password (or private key) over the network. (See the architectural response to UCCAN 6 for details. References for the rest of the authentication protocols mentioned below are provided above in the architectural response.) The Java applet GSI SSH client provided by the XUP is downloaded to the user s local system and runs there. The X.509 proxy delegation transaction between the GSI SSH client and the XUP web server (to obtain a short term proxy certificate) is fully encrypted and does not involve passing a user s password (or private key) over the network. Finally, the X.509 authentication mechanism between the GSI SSH client the SP operated login services is fully encrypted and does not involve passing a user s password (or private key) over the network. When using an SSHv2 client, the user authenticates to the XSEDE login service using a secure SSH connection and his or her password is encrypted via the TLS session key. Subsequent authentication transactions (a) between the XSEDE login service and the XSEDE MyProxy service and (b) between the XSEDE login service and the SP operated login services are fully encrypted and do not involve passing a user s password (or private key) over the network. References to these protocol transactions are provided above in the architectural response. CAN4.b Standard web browser last saved: Tuesday, May 20, 2014 4

The architectural response details how to accomplish this use case via a standard web browser. CAN4.c SSHv2 client The architectural response details how to accomplish this use case via an SSHv2 client. CAN4.d Reattach session Our response does not provide an architectural feature to accomplish this. We believe that a feature built into the system architecture would be prohibitively expensive and is not necessary to obtain the intended user benefit. We note that most interactive Unix systems, such as those offered by XSEDE SPs, include a tool called screen that offers this functionality. To enable reattaching the session, the user first uses the screen command to establish a persistent terminal session. If the session is disrupted for some reason, the user can re connect to the login service as described above and then use the screen command again to connect to the previously established terminal session. Put another way, we propose that session reattachment should be a feature provided by the interactive login services themselves, as opposed to the system that connects the user to the login services. last saved: Tuesday, May 20, 2014 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback