Executive Summary: A researcher, educator, science gateway developer, or application developer needs to move a small amount of data (a handful of modest-sized files) to or from a community resource.
This use case is currently partially implemented via GSI-OpenSSH, but the user experience is complicated and not well-documented, and the current implementation doesn't fully honor SP security policies. Specifically, the process for obtaining an X.509 certificate for use with GSI-OpenSSH isn't well-documented, and the current implementation doesn't require multi-factor authentication. (In fact, some SP resources may not allow the current implementation for this reason.)
A new implementation based on OAuth-SSH can fix these issues but significant work remains before this can be used on XSEDE. Specifically, we need to complete a deployment plan for the SSH server configuration for XSEDE service providers, a design & deployment plan for the user experience, a final design & security review of these plans, and then the plans need to be executed.
A very rough estimate of the remaining effort is 2 man-months of effort. Given current staffing levels and the need for significant coordination across organizations, this is likely to take at least a year to complete.
|Component||User facing?||Component’s role in the capability|
|Globus Toolkit GSISSH Client/Server||yes||Community members can currently install the GSI-OpenSSH client on their local systems and use it to directly connect to the GSI-OpenSSH servers on XSEDE SP login nodes. To do this, the community member also needs to obtain and configure an X.509 certificate from XSEDE.|