Child pages
  • WBS 2.3.2 OAuth SSH Planning 2019-06-06 Meeting
Skip to end of metadata
Go to start of metadata


Agenda, Discussion, and Action Items

Discuss how we will engage others in XSEDE to evolve existing interactive login capabilities.


Which use cases does this concern?

  • CAN-04 - Interactive login

    Most high-performance computing and high-throughput computing services require users to open a remote terminal session on a login server. This is a vital access mode for shared computing services.

  • CAN-06 - Authenticate with an application

    An individual needs to securely share his or her identity with an application in order to use a feature that requires authorization.

  • HPC-01 & HPC-02

  • HTC-01 & HTC-02

  • DA-01 through DA-05

  • VIS-01 through VIS-05

  • CB-08 - Use XSEDE SSO with campus login servers
    A campus IT administrator wants to allow XSEDE­-registered researchers to login to campus login servers (remote command shell) using their XSEDE usernames/passwords.
  • RC-03? - Install software on a resource for use by a research community

Which use cases does this NOT concern?

  • CAN-01 - Run a remote job
  • SGW-03 - Science Gateway community execution management

Current components:

  1. SP login nodes with GSI OpenSSH server and Globus client (from Globus)
  2. SSO hub with OpenSSH using Kerberos and xsede-user-tfa PAM modules (from XSEDE) and Globus GSI OpenSSH client (from Globus)
  3. Any command line client running any SSH client accessing the SSO hub

Possible future components:

  1. SP login nodes with GSI OpenSSH server and Globus client (from the Grid Community Toolkit)
    1. Q: Who would be providing the support for this software (GSI* from GCT)?
  2. Any command line client running any SSH client with the Globus SDK (a.k.a. Globus Auth OpenSSH)
  3. Any command line client running any SSH client with web based login service (a.k.a. Lee's pilot)
  4. Jupyter based browser login client
    1. Lee thinks Jupyter isn't a login client. (It doesn't provide a terminal interface on the compute system.) True or false?
    2. If the above is true, is the idea that users will no longer need terminal interfaces on XSEDE systems? That seems unlikely given the current systems.
  5. Open OnDemand

We will probably need to meet with these people?

  • XCI management - What are we supposed to be doing? What is our mandate/scope for this?
    • E.g., just get through XSEDE-2, or look farther ahead?
  • SP PIs - They design & maintain the systems XSEDE provides access to and know the intended uses, users
  • Campus login server admins (CB-08) - They design campus login services & asked for SSO Hub access
  • Heavy SSH users on current XSEDE systems (SSO hub, others?)
  • Q: Should we also ask people who do computational science via other interfaces (Open OnDemand, Jupyter, cloud systems) how they do it and how they think it should be done on other systems?

With what purpose?

  • Confirm how SSH is currently used/needed on XSEDE SP systems, campus research systems.
  • Find out about future/upcoming systems and their interfaces.
  • Get a sense of the future needs for SSH access and how folks would LIKE it to work.


We don't know where SSH access is going and need to engage users and XSEDE stakeholders to identify a path forward.

Needs that are driving this discussion:

  • Products that have vendor/community support
  • Interfaces that simplify interactive access and that users prefer to use
  • Modern, standard, and ubiquitous user authentication and authorization mechanisms
  • Keep XSEDE innovative and leading in usability and ease of access thru the end of the program
  • Ensure XSEDE investments in improving SSH access matches user and SP needs and broader community
  • Identify what the future of SSH login is

Next steps / actions

We will survey users and SPs and hold a PEARC19 BOF so that by early Fall 2019 we have the input needed to prepare an XSEDE SSH futures plan.

  • Lee Liming and Jim Basney  Prepare public facing background and context setting slides by  
    1. Present the broader context of wider adoption of web based access methods
  • JP Navarro , Shava Smallen , and Kate Kaya Prepare survey(s) for SSH users and service providers by  
    1. Preferably using the RSP
    2. Reference context slides in survey introduction
    3. Current SPs, new system SPs (TACC, cloud, and others), campus operators
    4. Include questions about direct inter-resource ssh and scp
  • Shava Smallen Will try to get 2 PEARC19 BOFs, one for this topic and the other for user needs discussion with SPs
    1. Reuse context slides in the BOF introduction
    2. Open to everyone
  • Consider a community Q&A teleconference before the close of the survey period
  • Consider a more detailed analysis of SSO hub usage and if possible SP ssh usage
  • Compile BOF input, survey, and other input to new/updated use cases and "SSH Futures" CDPs by