Presentation is loading. Please wait.

Presentation is loading. Please wait.

SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist - Dec 6, 2007.

Published byKelly Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist - Dec 6, 2007."— Presentation transcript:

1 SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist franks@mcs.anl.gov MWSG@LBNL - Dec 6, 2007

2 GSI-X509-PKIX “Somewhat” difficult to setup “Somewhat” difficult to manage “Somewhat” incomprehensible trust model “Somewhat” difficult to explain why you need it when you already have X …but all our Grid middleware relies on X.509 –…but not on PKIX –…just on SSL & X509Certs (& proxies)

3 SSH-PKI Secure… –uses same RSA pk-crypto as X509&SSL Relatively easy to setup Relatively easy to understand trust model –You “are” your key Works well with “limited” number of hosts and users –No registration/certification authorities Actually there are… but they are the normal account admins User is often her own admin for authZ Sysadmins have few issues with an SSH-PKI –They do have issues with PKIX admin

4 authorized_keys vs gridmap Both simple access control list authorized_key maps key to account –By being in the account already gridmap maps user-name/DN to account –Single map per host (at least for gram/gridftp, but we can have gridmaps per resource also) ? See any similarities ?

5 known_hosts vs GSI Host AuthZ known_hosts –binds the host “name(s)” to a key “name(s)” are ip-names & ip-addresses Asserted by the client by managing the entries (either maintained dynamically or distributed by sysadmin) GSI Host AuthZ –Host’s X509-Cert validation Cert’s CA in “trusted file/directory” Or self-signed cert in “trusted file/directory” –Host-Cert’s AltSubject name equals host’s ip-name ? See any similarities ?

6 How to leverage those similarities? (1) GSI requires SSL requires X.509 => GSI requires X.509 –The SSL-protocol requires X.509 Certs Thus we cannot use the SSH protocols themselves for GSI …but can we use the SSH authN and authZ fabric (id_rsa,known_hosts&authorized_keys)?

7 How to leverage those similarities? (2) SSH: You are your key –Your public key is your “name” GSI: Use self-signed X.509 Certificates where the name/DN is the public key –Subject=DN=\PK=123a3b… (naming convention) (urn:base64:sha1: or ssh’ readable key format) Reuse the SSH credentials in ~/.ssh/id_rsa –Use that key to generate a self-signed X.509 cert –Copy private key to default key file used by SSL

8 How to leverage those similarities? (3) GSI Client&Server AuthN through SSL: –Present self-signed cert to peer –Validation succeeds if self-signed cert in trusted file/directory –Cert’s (Alt)Subject name should “equal” cert’s public key (“public-key-DN”) GSI Client AuthZ: –If an account’s authorized_keys’ file has entry for public key then gridmap file should have mapping entry for that account and the equivalent public-key-DN GSI Host AuthZ: –If the requested host’s name (ip-name/address) equals an entry in the client’s known_hosts file AND that same entry’s public key matches the host-cert’s name (“public-key-DN”) then host is OK

9 How to leverage those similarities? (4) X.509 Validation of Self-Signed Keys –“Somehow” self-signed user and host certs should be added to trusted file/directory on clients and servers After user&host self-signed cert are created, sysadmin could collect them and install them in the right place and make them available to users to install locally. (would work with any default SSL install) or –“Enhance” path-validation routine to always accept self- signed certs where subject name equals public key (there is no real risk associated with this policy…over time ssl dev-community could be convinced to add it to their code)

10 How to leverage those similarities? (5) GSI Client AuthZ: –Replicate each account’s authorized_keys’ entries in gridmap file by hand (or by cron job) or –“authorized_keys-PDP” could check account’s authorized_keys files in real-time GSI Host AuthZ: –Enhance host authZ code to optionally check whether host’s public-key-DN and ip-name/address has entry in user’s known_hosts file (requires coding), or –Leverage OGSA-Sec-BP’s EPR annotation to include the self-signed Host-cert (wouldn’t use known_hosts…), or –Get some real host authZ in place with real pluggable PDPs and such, or just a “host-gridmap-file” (=known_hosts ;-) ), or –Just use “normal” X509-PKI host-certs

11 Conclusion We can leverage an existing SSH-PKI&authZ deployment for our GSI-PKI&authZ “almost” out of the box! –Well defined recipe: we can generate self-signed certs by hand from the SSH creds, move certs in the right SSL-trusted places, modify gridmap based on authorized_keys, use EPRs annotated with host certs (or add known_hosts check) –Or enhance path-validation, write authorized_keys PDP and known_hosts check/PDP… The result would truly make GSI deployment easier for small scale usage… –And all would work as now (even delegation/proxies with GridFTP)

Download ppt "SSH & GSI-X.509 Happily Living Together in Harmony Frank Siebenlist - Dec 6, 2007."

Similar presentations

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.

Proxy Certificate Profile Douglas E. Engert Argonne National Laboratory 12/14/2001 COPYRIGHT STATUS: Documents authored by Argonne National.
The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.

The Community Authorization Service: Status and Future Ian Foster 1,2, Carl Kesselman 3, Laura Pearlman 3, Steven Tuecke 1, Von Welch 2 1 Argonne National.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:

Presentation Two: Grid Security Part Two: Grid Security A: Grid Security Infrastructure (GSI) B: PKI and X.509 certificates C: Proxy certificates D:
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google