ABSTRACT
SciTokens SSH is a pluggable authentication module (PAM) that uses JSON Web Tokens (JWTs) for authentication to the Secure Shell (SSH) remote login service. SciTokens SSH supports multiple token issuers with local token verification, so scientific computing providers are not forced to rely on a single OAuth server for token issuance and verification. The decentralized design for SciTokens SSH was motivated by the distributed nature of scientific computing environments, where scientists use computational resources from multiple providers, with a variety of security policies, distributed across the globe.
- Jason Alt, Rachana Ananthakrishnan, Kyle Chard, Ryan Chard, Ian Foster, Lee Liming, and Steve Tuecke. 2020. OAuth SSH with Globus Auth. In Proceedings of the Practice and Experience in Advanced Research Computing (Portland, OR, USA) (PEARC ’20). ACM, New York, NY, USA, 12. https://doi.org/10.1145/3311790.3396658Google ScholarDigital Library
- Mine Altunay, Brian Bockelman, Andrea Ceccanti, Linda Cornwall, Matt Crawford, David Crooks, Thomas Dack, David Dykstra, David Groep, Ioannis Igoumenos, Michel Jouvin, Oliver Keeble, David Kelsey, Mario Lassnig, Nicolas Liampotis, Maarten Litmaath, Andrew McNab, Paul Millar, Mischa Sallé, Hannah Short, Jeny Teheran, and Romain Wartel. 2019. WLCG Common JWT Profiles. https://doi.org/10.5281/zenodo.3460258Google Scholar
- Brian Bockelman and Derek Weitzel. 2019. scitokens/scitokens-cpp (Version v0.3.0). https://doi.org/10.5281/zenodo.2656677Google Scholar
- T. Lodderstedt (Ed.), M. McGloin, and P. Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. RFC 6819. https://doi.org/10.17487/RFC6819Google Scholar
- D. Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. https://doi.org/10.17487/RFC6749Google Scholar
- M. Jones, J. Bradley, and N. Sakimura. 2015. JSON Web Token (JWT). RFC 7519. https://doi.org/10.17487/RFC7519Google Scholar
- M. Jones, N. Sakimura, and J. Bradley. 2018. OAuth 2.0 Authorization Server Metadata. RFC 8414. https://doi.org/10.17487/RFC8414Google Scholar
- J. Richer. 2015. OAuth 2.0 Token Introspection. RFC 7662. https://doi.org/10.17487/RFC7662Google Scholar
- S. Tuecke, R. Ananthakrishnan, K. Chard, M. Lidman, B. McCollam, S. Rosen, and I. Foster. 2016. Globus Auth: A research identity and access management platform. In 2016 IEEE 12th International Conference on e-Science (e-Science). 203–212. https://doi.org/10.1109/eScience.2016.7870901Google ScholarCross Ref
- S. Tuecke, V. Welch, D. Engert, L. Pearlman, and M. Thompson. 2004. Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. RFC 3820. https://doi.org/10.17487/RFC3820Google Scholar
- V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Czajkowski, J. Gawor, C. Kesselman, S. Meder, L. Pearlman, and S. Tuecke. 2003. Security for Grid services. In High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on. 48–57. https://doi.org/10.1109/HPDC.2003.1210015Google ScholarCross Ref
- Alex Withers, Brian Bockelman, Derek Weitzel, Duncan Brown, Jeff Gaynor, Jim Basney, Todd Tannenbaum, and Zach Miller. 2018. SciTokens: Capability-Based Secure Access to Remote Scientific Data. In Proceedings of Practice and Experience on Advanced Research Computing (Pittsburgh, PA, USA) (PEARC ’18). ACM, New York, NY, USA, Article 24, 8 pages. https://doi.org/10.1145/3219104.3219135Google ScholarDigital Library
- Alex Withers, Brian Bockelman, Derek Weitzel, Duncan Brown, Jason Patton, Jeff Gaynor, Jim Basney, Todd Tannenbaum, You Alex Gao, and Zach Miller. 2019. SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. In Proceedings of the Practice and Experience in Advanced Research Computing (Chicago, IL, USA) (PEARC ’19). ACM, New York, NY, USA, Article 118, 4 pages. https://doi.org/10.1145/3332186.3333258Google ScholarDigital Library
- T. Ylonen and C. Lonvick (Ed.). 2006. The Secure Shell (SSH) Authentication Protocol. RFC 4252. https://doi.org/10.17487/RFC4252Google Scholar
Index Terms
- SciTokens SSH: Token-based Authentication for Remote Login to Scientific Computing Environments
Recommendations
Flexible Enforcement of Multi-factor Authentication with SSH via Linux-PAM for Federated Identity Users
PEARC '17: Proceedings of the Practice and Experience in Advanced Research Computing 2017 on Sustainability, Success and ImpactA computational science project with restricted-access data was awarded an allocation by XSEDE in 2016 to use the Bridges supercomputer at the Pittsburgh Supercomputing Center (PSC). As a condition of the license agreement for access to the data, multi-...
SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor
PEARC '19: Proceedings of the Practice and Experience in Advanced Research Computing on Rise of the Machines (learning)The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to ...
SciTokens: Capability-Based Secure Access to Remote Scientific Data
PEARC '18: Proceedings of the Practice and Experience on Advanced Research ComputingThe management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to ...
Comments