Child pages
  • WBS 2.3.2 OAuth SSH Planning 2019-06-06 Meeting

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Discuss how we will engage others in XSEDE to evolve existing interactive login capabilities.


Which use cases does this concern?

  • CAN-04 - Interactive login
    Most high-performance computing and high-throughput computing services require users to open a remote terminal session on a login server. This is a vital access mode for shared computing services.
  • CAN-06 - Authenticate with an application
    An individual needs to securely share his or her identity with an application in order to use a feature that requires authorization.
  • HPC-01 & HPC-02
  • HTC-01 & HTC-02
  • DA-01 through DA-05
  • VIS-01 through VIS-05
  • CB-08 - Use XSEDE SSO with campus login servers
    A campus IT administrator wants to allow XSEDE­-registered researchers to login to campus login servers (remote command shell) using their XSEDE usernames/passwords.
  • RC-03? - Install software on a resource for use by a research community

Which use cases does this NOT concern?

  • CAN-01 - Run a remote job
  • SGW-03 - Science Gateway community execution management

Current components:

  1. SP login nodes with GSI OpenSSH server and Globus client (from Globus)
  2. SSO hub with OpenSSH using Kerberos and xsede-user-tfa PAM modules (from XSEDE) and Globus GSI OpenSSH client (from Globus)
  3. Any command line client running any SSH client accessing the SSO hub

Possible future components:

  1. SP login nodes with GSI OpenSSH server and Globus client (from the Grid Community Toolkit)
    1. Q: Who would be providing the support for this software (GSI* from GCT)?
  2. Any command line client running any SSH client with the Globus SDK (a.k.a. Globus Auth OpenSSH)
  3. Any command line client running any SSH client with web based login service (a.k.a. Lee's pilot)
  4. Jupyter based browser login client
    1. Lee thinks Jupyter isn't a login client. (It doesn't provide a terminal interface on the compute system.) True or false?
    2. If the above is true, is the idea that users will no longer need terminal interfaces on XSEDE systems? That seems unlikely given the current systems.
  5. Open OnDemand


  • Meeting with which people
    • SP PIs - Design & maintain the systems XSEDE provides access to and know the intended uses, users
    • Heavy SSH users on current XSEDE systems (SSO hub, others?)
  • With what purpose