short-paper

SciTokens SSH: Token-based Authentication for Remote Login to Scientific Computing Environments

Authors:

You Alex Gao,

Jim Basney,

Alex WithersAuthors Info & Claims

PEARC '20: Practice and Experience in Advanced Research Computing 2020: Catch the Wave

Pages 465 - 468

https://doi.org/10.1145/3311790.3399613

Published: 26 July 2020 Publication History

Get Access

Abstract

SciTokens SSH is a pluggable authentication module (PAM) that uses JSON Web Tokens (JWTs) for authentication to the Secure Shell (SSH) remote login service. SciTokens SSH supports multiple token issuers with local token verification, so scientific computing providers are not forced to rely on a single OAuth server for token issuance and verification. The decentralized design for SciTokens SSH was motivated by the distributed nature of scientific computing environments, where scientists use computational resources from multiple providers, with a variety of security policies, distributed across the globe.

References

[1]

Jason Alt, Rachana Ananthakrishnan, Kyle Chard, Ryan Chard, Ian Foster, Lee Liming, and Steve Tuecke. 2020. OAuth SSH with Globus Auth. In Proceedings of the Practice and Experience in Advanced Research Computing (Portland, OR, USA) (PEARC ’20). ACM, New York, NY, USA, 12. https://doi.org/10.1145/3311790.3396658

Digital Library

Google Scholar

[2]

Mine Altunay, Brian Bockelman, Andrea Ceccanti, Linda Cornwall, Matt Crawford, David Crooks, Thomas Dack, David Dykstra, David Groep, Ioannis Igoumenos, Michel Jouvin, Oliver Keeble, David Kelsey, Mario Lassnig, Nicolas Liampotis, Maarten Litmaath, Andrew McNab, Paul Millar, Mischa Sallé, Hannah Short, Jeny Teheran, and Romain Wartel. 2019. WLCG Common JWT Profiles. https://doi.org/10.5281/zenodo.3460258

Crossref

Google Scholar

[3]

Brian Bockelman and Derek Weitzel. 2019. scitokens/scitokens-cpp (Version v0.3.0). https://doi.org/10.5281/zenodo.2656677

Crossref

Google Scholar

[4]

T. Lodderstedt (Ed.), M. McGloin, and P. Hunt. 2013. OAuth 2.0 Threat Model and Security Considerations. RFC 6819. https://doi.org/10.17487/RFC6819

Digital Library

Google Scholar

[5]

D. Hardt. 2012. The OAuth 2.0 Authorization Framework. RFC 6749. https://doi.org/10.17487/RFC6749

Digital Library

Google Scholar

[6]

M. Jones, J. Bradley, and N. Sakimura. 2015. JSON Web Token (JWT). RFC 7519. https://doi.org/10.17487/RFC7519

Digital Library

Google Scholar

[7]

M. Jones, N. Sakimura, and J. Bradley. 2018. OAuth 2.0 Authorization Server Metadata. RFC 8414. https://doi.org/10.17487/RFC8414

Digital Library

Google Scholar

[8]

J. Richer. 2015. OAuth 2.0 Token Introspection. RFC 7662. https://doi.org/10.17487/RFC7662

Digital Library

Google Scholar

[9]

S. Tuecke, R. Ananthakrishnan, K. Chard, M. Lidman, B. McCollam, S. Rosen, and I. Foster. 2016. Globus Auth: A research identity and access management platform. In 2016 IEEE 12th International Conference on e-Science (e-Science). 203–212. https://doi.org/10.1109/eScience.2016.7870901

Crossref

Google Scholar

[10]

S. Tuecke, V. Welch, D. Engert, L. Pearlman, and M. Thompson. 2004. Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile. RFC 3820. https://doi.org/10.17487/RFC3820

Digital Library

Google Scholar

[11]

V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Czajkowski, J. Gawor, C. Kesselman, S. Meder, L. Pearlman, and S. Tuecke. 2003. Security for Grid services. In High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on. 48–57. https://doi.org/10.1109/HPDC.2003.1210015

Crossref

Google Scholar

[12]

Alex Withers, Brian Bockelman, Derek Weitzel, Duncan Brown, Jeff Gaynor, Jim Basney, Todd Tannenbaum, and Zach Miller. 2018. SciTokens: Capability-Based Secure Access to Remote Scientific Data. In Proceedings of Practice and Experience on Advanced Research Computing (Pittsburgh, PA, USA) (PEARC ’18). ACM, New York, NY, USA, Article 24, 8 pages. https://doi.org/10.1145/3219104.3219135

Digital Library

Google Scholar

[13]

Alex Withers, Brian Bockelman, Derek Weitzel, Duncan Brown, Jason Patton, Jeff Gaynor, Jim Basney, Todd Tannenbaum, You Alex Gao, and Zach Miller. 2019. SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor. In Proceedings of the Practice and Experience in Advanced Research Computing (Chicago, IL, USA) (PEARC ’19). ACM, New York, NY, USA, Article 118, 4 pages. https://doi.org/10.1145/3332186.3333258

Digital Library

Google Scholar

[14]

T. Ylonen and C. Lonvick (Ed.). 2006. The Secure Shell (SSH) Authentication Protocol. RFC 4252. https://doi.org/10.17487/RFC4252

Digital Library

Google Scholar

Cited By

View all

John Koilpillai YKumar R(2023)Token-Based Identity Model Using OpenID Connect For Unmanaged Systems2023 IEEE 5th International Conference on Cybernetics, Cognition and Machine Learning Applications (ICCCMLA)10.1109/ICCCMLA58983.2023.10346795(281-286)Online publication date: 7-Oct-2023
https://doi.org/10.1109/ICCCMLA58983.2023.10346795
Cardone RPadhy SBlack SStubbs JCleveland S(2023)A Decentralized Authorization and Security Framework for Distributed Research Workflows*2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00102(741-746)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00102
Li HCao RXiu HWan MLi KWang XWang YWang J(2021)Secure Shell Remote Access for Virtualized Computing EnvironmentSmart Computing and Communication10.1007/978-3-030-97774-0_11(123-132)Online publication date: 29-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-97774-0_11

Recommendations

SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor
PEARC '19: Practice and Experience in Advanced Research Computing 2019: Rise of the Machines (learning)

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to ...
SciTokens: Capability-Based Secure Access to Remote Scientific Data
PEARC '18: Proceedings of the Practice and Experience on Advanced Research Computing: Seamless Creativity

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to ...
Flexible Enforcement of Multi-factor Authentication with SSH via Linux-PAM for Federated Identity Users
PEARC '17: Practice and Experience in Advanced Research Computing 2017: Sustainability, Success and Impact

A computational science project with restricted-access data was awarded an allocation by XSEDE in 2016 to use the Bridges supercomputer at the Pittsburgh Supercomputing Center (PSC). As a condition of the license agreement for access to the data, multi-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

PEARC '20: Practice and Experience in Advanced Research Computing 2020: Catch the Wave

July 2020

556 pages

ISBN:9781450366892

DOI:10.1145/3311790

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 July 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Funding Sources

National Science Foundation

Conference

PEARC '20

Sponsor:

PEARC '20: Practice and Experience in Advanced Research Computing

July 26 - 30, 2020

OR, Portland, USA

Acceptance Rates

Overall Acceptance Rate 133 of 202 submissions, 66%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
418
Total Downloads

Downloads (Last 12 months)37
Downloads (Last 6 weeks)8

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

John Koilpillai YKumar R(2023)Token-Based Identity Model Using OpenID Connect For Unmanaged Systems2023 IEEE 5th International Conference on Cybernetics, Cognition and Machine Learning Applications (ICCCMLA)10.1109/ICCCMLA58983.2023.10346795(281-286)Online publication date: 7-Oct-2023
https://doi.org/10.1109/ICCCMLA58983.2023.10346795
Cardone RPadhy SBlack SStubbs JCleveland S(2023)A Decentralized Authorization and Security Framework for Distributed Research Workflows*2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00102(741-746)Online publication date: Jun-2023
https://doi.org/10.1109/COMPSAC57700.2023.00102
Li HCao RXiu HWan MLi KWang XWang YWang J(2021)Secure Shell Remote Access for Virtualized Computing EnvironmentSmart Computing and Communication10.1007/978-3-030-97774-0_11(123-132)Online publication date: 29-Dec-2021
https://dl.acm.org/doi/10.1007/978-3-030-97774-0_11

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Abstract

References

Cited By

Recommendations

SciTokens: Demonstrating Capability-Based Access to Remote Scientific Data using HTCondor

SciTokens: Capability-Based Secure Access to Remote Scientific Data

Flexible Enforcement of Multi-factor Authentication with SSH via Linux-PAM for Federated Identity Users

Comments

Information

Published In

Sponsors

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

Login options

Full Access

View options

PDF

eReader

HTML Format

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations