ABSTRACT
Grid computing promises gains in effective computational power, resource utilization, and resource accessibility, but in order to achieve these gains, organizations must deploy grid middleware that, in most cases, does not adhere to fundamental security principles. This paper introduces a new lightweight grid middleware called Mesh, which is based on the addition of a single sign-on capability to the built-in public key authentication mechanism of SSH using system call interposition. The initial Mesh implementation is compatible with approximately 90% of the world's SSH servers and any SSH client that supports public key authentication. Resources maybe added to a Mesh-based grid in a matter of minutes using just five small files and two environment variable settings. Mesh adheres to fundamental security principles and was designed to be compatible with strong security mechanisms including two-factor authentication, SSH bastions, and restrictive firewalls. Mesh uses a remote command model, which is based on the syntax and commands already understood by users, thus requires no additional knowledge to utilize effectively. Several existing services have been integrated with Mesh to provide resource discovery and query, high performance file transfer, and job management.
- Alfieri, R., Cecchini, R. et al.: From gridmap-file to VOMS: Managing Authorization in a Grid Environment. Future Generation Computer Systems, vol. 21, num. 4, 2005.Google Scholar
- Bbcp. http://www.slac.stanford.edu/~abh/bbcp.Google Scholar
- BbFTP. http://doc.in2p3.fr/bbftp.Google Scholar
- Doyle, A. T., Lloyd, S. L., McNab, A.: GridSite, GACL and SlashGrid: Giving Grid Security to Web and File Applications. UK e-Science All Hands Meeting, Sep. 2002.Google Scholar
- Erwin, D. W., Snelling, D. F.: UNICORE: A Grid Computing Environment. 7th Intl. Euro-Par Conf., Aug. 2001. Google ScholarDigital Library
- Foster, I., Kesselman, C.: Globus: A Metacomputing Infrastructure Toolkit. Intl. J. Supercomputer Applications, vol. 11, num. 2, 1997.Google Scholar
- Foster, I., Kesselman, C. (eds.): The GRID: Blueprint for a New Computing Infrastructure. Morgan-Kaufmann Publishers, Nov. 1998. Google ScholarDigital Library
- Foster, I., Kesselman, C., Tuecke, S.: The Anatomy of the Grid: Enabling Scalable Virtual Organizations. Intl. J. Supercomputer Applications, vol. 15, num. 3, 2001. Google ScholarDigital Library
- FUSE. http://fuse.sourceforge.net.Google Scholar
- Globus Project: GT 4.0: GSI-OpenSSH. Dec. 2005. Available at http://www.globus.org/toolkit/docs/4.0/security/openssh.Google Scholar
- Hayes, M., Morris, L. et al.: GROWL: A Lightweight Grid Services Toolkit and Applications. UK e-Science All Hands Meeting, Sep. 2005.Google Scholar
- Hughes-Jones, R., Dallison, S.: Investigating the Interaction Between High-Performance Network and Disk Sub-Systems. 3rd Intl. Wkshp. on Protocols for Fast Long-Distance Networks, Feb. 2005.Google Scholar
- Jones, M. B.: Interposition Agents: Transparently Interposing User Code at the System Interface. 14th ACM Symp. on Operating System Principles, Dec. 1993. Google ScholarDigital Library
- Kohl, J. T., Neuman, B. C., Ts'o, T. Y.: The Evolution of the Kerberos Authentication Service. Spring 1991 EurOpen Conf., May 1991.Google Scholar
- Kolano, P. Z.: Surfer: An Extensible Pull-Based Framework for Resource Selection and Ranking. 4th IEEE/ACMIntl. Symp. on Cluster Computing and the Grid, Apr. 2004. Google ScholarDigital Library
- Kolano, P. Z.: A Unified Framework for Periodic, On-Demand, and User-Specified Software Information. 5th IEEE/ACM Intl. Wkshp. on Grid Computing, Nov. 2004. Google ScholarDigital Library
- Linux Virtual Server. http://linuxvirtualserver.org.Google Scholar
- Litzkow, M., Livny, M., Mutka, M.: Condor - A Hunter of Idle Workstations. 8th IEEE Intl. Conf. of Distributed Computing Systems, Jun. 1988.Google Scholar
- McCullough, M.: Secure Automated File Transfer.; Login:,30(4), Aug. 2005.Google Scholar
- McKeown, M.: Build WS-Resources with WSRF::Lite. Jan. 2005. Available at http://www-106.ibm.com/developerworks/edu/gr-dw-gr-wsrflite-i.html.Google Scholar
- OpenSSH. http://openssh.org.Google Scholar
- Pearlman, L., Welch, V., Foster, I., Kesselman, C., Tuecke, S.: The Community Authorization Service: Status and Future. Conf. for Computing in High Energy and Nuclear Physics, Mar. 2003.Google Scholar
- Portable Batch System. http://www.altair.com/software/pbspro.htm.Google Scholar
- Provos, N.: Improving Host Security with System Call Policies. 12th USENIX Security Symp., Aug. 2004. Google ScholarDigital Library
- Riedel, M.: UNICORE Secure Shell Plugin Guide. Oct. 2005. Available at http://prdownloads.sourceforge.net/unicore/sshpluginguide_1_0_1.pdf.Google Scholar
- Rssh. http://www.pizzashack.org/rssh.Google Scholar
- Rsync. http://samba.anu.edu.au/rsync.Google Scholar
- Saltzer, J. H., Schroeder, M. D.: The Protection of Information in Computer Systems. Proc. of the IEEE, vol. 63, num. 9, 1975.Google Scholar
- Samar, V.: Unified Login with Pluggable Authentication Modules. 3rd ACM Conf. on Computer and Communications Security, Mar. 1996. Google ScholarDigital Library
- Scponly. http://www.sublimation.org/scponly.Google Scholar
- SSH Tectia Server. http://www.ssh.com/products/client-server.Google Scholar
- SSH Usage Profiling. http://openssh.org/usage.Google Scholar
- Thain, D.: Identity Boxing: A New Technique for Consistent Global Identity. ACM/IEEE Supercomputing 2005 Conf., Nov. 2005. Google ScholarDigital Library
- Thain, D., Livny, M.: Multiple Bypass: Interposition Agents for Distributed Computing. J. Cluster Computing, vol. 4, num. 1, 2001. Google ScholarDigital Library
- Tridgell, A.: Efficient Algorithms for Sorting and Synchronization. Ph.D. Thesis, Australian National Univ., Feb. 1999.Google Scholar
- Wahl, M., Kille, S., Howes, T.: Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names. IETF RFC 2253, Dec. 1997.Google Scholar
- Walters, R. J., Crouch, S.: M-grid: Using Ubiquitous Web Technologies to Create a Computational Grid. European Grid Conf., Feb. 2005.Google ScholarDigital Library
Index Terms
Mesh: secure, lightweight grid middleware using existing SSH infrastructure
Recommendations
Authorization within grid-computing using certificateless identity-based proxy signature
HPDC '10: Proceedings of the 19th ACM International Symposium on High Performance Distributed ComputingEnsuring security and privacy within the Grid computing environment is a fundamental and key requirement for users in order to adopt and use secure and trusted Grids. In light of this fact, the majority of grids, nowadays, provide security services by ...
Shibboleth Access for Resources on the National Grid Service (SARoNGS)
IAS '09: Proceedings of the 2009 Fifth International Conference on Information Assurance and Security - Volume 02The National Grid Service (NGS) provides access to compute and data resources for UK academics. Currently users are required to have an X.509 certificate from the UK e-Science Certification Authority (CA) or one of its international peers to access the ...
Flexible Enforcement of Multi-factor Authentication with SSH via Linux-PAM for Federated Identity Users
PEARC '17: Proceedings of the Practice and Experience in Advanced Research Computing 2017 on Sustainability, Success and ImpactA computational science project with restricted-access data was awarded an allocation by XSEDE in 2016 to use the Bridges supercomputer at the Pittsburgh Supercomputing Center (PSC). As a condition of the license agreement for access to the data, multi-...
Comments