JIRA Issue

[#XCI-496] SSH with OAuth (OIDC/OAuth SSH service and client)

[XCI-496] SSH with OAuth (OIDC/OAuth SSH service and client) Created: 10/29/2018  Updated: 05/14/2019

Status: Proposed
Project: XSEDE Cyberinfrastructure Integration
Component/s: None
Fix Version/s: PY8 (Sep '18 - Aug '19)

Type: XCI New Capability Priority: Major
Reporter: Lee Liming Assignee: Lee Liming
Resolution: Unresolved Votes: 0

Issue Links:
SD&I Deliverable
has deliverable XCI-572 Prepare repo for SSH with OAuth code Closed
has deliverable XCI-498 SSH with Globus Auth Deployment plan ... Proposed
has deliverable XCI-499 SSH with Globus Auth User Documentati... Backlog
has deliverable XCI-497 SSH with Globus Auth Deployment plan ... In Progress
has deliverable XCI-196 Deliver XSEDE user to OAuth identity ... Development
SD&I Design
implements design from XCI-501 Security review for Globus Connect Se... In Progress
XSEDE Priority: -
Public activity link: https://software.xsede.org/display/xci-496
Devel Repository: https://software.xsede.org/svn/xci/activities/xci-496/trunk/
Use Cases:
CAN-01: Run a Remote Job, CAN-04: Interactive Login, CAN-06: Authenticate to one or more SP resources, SP services, and XSEDE central services, CB-08: Use XSEDE SSO with campus login servers, IDM-14: SSH access using XSEDE identities for education
Effort and Costs:
Staff Name (Lastname, Firstname) Effort (person weeks) Roles or Contributions Status
Liming, Lee 1 one week of effort to lead and implement the activity (required) none
Liming, Lee 2.8 three weeks of effort to draft the design document none
Navarro, JP 0.4 two days to initiate a design & security review none
DSR reviewers 2 Estimated: 10 reviewers, each spending one full day to review the design & security review materials, ask questions, discuss, ultimately vote up or down none
Liming, Lee 0.6 three days to respond to DSR questions & issues none

NOTE: Effort for TRR deliverables will be tracked separately in sub-task activities.

Due by Activity Deliverable
DSR Design document*
TRR GA release of SSH with Globus Auth (from Globus)
TRR Mapfile generator tool (from XSEDE)**
TRR Deployment plan for SP admins**
TRR Deployment plan for XSEDE SSO Hub**
TRR Test plan*
TRR User documentation for XUP/XSEDE website**
TRR (post) TRR Baseline* (Shava)
Deployment Deployment Baseline* (Shava)
Deployment Test Report* (Shava)

( * ) Click on "Deliverables" tab for URL.

( ** ) See linked issues for details & deliverables.

Lead Tester: Shava Smallen


This activity will prepare and test SSH with Globus Auth for use by XSEDE SPs and the XSEDE SSO Hub, based on the General Availability (GA) release of SSH with Globus Auth. SSH with Globus Auth is SSH based on OpenID Connect authentication: the same authentication mechanism used for XSEDE's Web SSO service.

When Globus announced its end-of-support for the Globus Toolkit, that included GSI-OpenSSH, which is SSH based on X.509 authentication. Most XSEDE SPs and the XSEDE SSO Hub use GSI-OpenSSH for their SSH (remote login) services.  While support for GSI-OpenSSH may continue via open source community contributions, we are exploring other options for the future of XSEDE's SSH services.


There are comments for XCI-496 that can be viewed with XSEDE authentication.