REVIEW-6: SDIACT-202 Incremental GSI-OpenSSH fixes and enhancements - Design/Security Review

Overview

This review evaluates the general design and security risks of delivering an updated GSI-OpenSSH server and client to XSEDE.

Review Summary

The following items of note were discussed as part of the design review:

  1. Clarity was sought in regard to GSI-OpenSSH source code maintenance by XSEDE SD&I and the core packaging and releases by Globus.
  2. It was asked if GSI-OpenSSH would be would be subject to the proposed change by Globus to use the "strict" certificate identity checking algorithm and the answer was yes, it would be subject to it. Any impact to UNICORE 6 and Genesis II are potentially impacted (per Andrew Grimshaw).
  3. Questions about relocatability (neither the CentOS OpenSSH nor the Globus GSI-OpenSSH RPMs would be relocatable) were addressed.
  4. Development will try to make HPN, iSSHD (NERSCMOD), GSI patches available for easy review/audit as part of the source RPM.
  5. It was clarified that MECHGLUE is NOT required for Kerberos password authentication but would be required for Kerberos ticket authentication.
  6. SDSC and TACC alter the default paths for GSI-OpenSSH binaries. This will be supported via GSI-OpenSSH source packages.
  7. Subject to final approval by XSEDE SPs, Development will base the GSI-OpenSSH release on OpenSSH 7.1P1 (the latest release) as HPN and iSSHD patches are available for it.

Review Output Documents (Final)

https://software.xsede.org/svn/sdi/activities/sdiact-202/trunk/Plans/GSIOpenSSHServerDesign_v1.6.pdf

Review Input Documents

https://software.xsede.org/svn/sdi/activities/sdiact-202/trunk/Plans/GSIOpenSSHServerDesign_v1.5.pdf

Review Criteria

Scenario 1: User logs into SP from SSO Hub:
Concerns to be addressed when discussing this scenario:

  • Support for GSI-OpenSSH servers, GSI-OpenSSH clients, SSO Hub

Scenario 2: User logs into SP from another SP:
Concerns to be addressed when discussing this scenario:

  • Support for GSI-OpenSSH servers, GSI-OpenSSH clients

Scenario 3: Expert user logs into SP from own machine:
Concerns to be addressed when discussing this scenario:

  • Support for GSI-OpenSSH clients

Schedule

Current Date: 2019-06-26
Current Status: Closed (Design and Security Review)
Target Date Actual Date Activity Milestone
  2015-10-05 Review launch date
2015-10-09 2015-11-06 Written feedback due (Reviewers)
2015-10-14 2015-11-06 Written response date (Review Material Developers)
2015-10-16 2015-11-06 Final approval due and completion date (Reviewers)
Review Created: 2015-10-05 8:19 am
Review Last Updated: 2015-12-14 9:35 am

 

Reviewers

If you are a reviewer, please login to sign or withdraw from this review.

Required

  • David Carver
  • Christopher Jordan
  • JP Navarro
    SIGNED: 2015-11-06 12:39
  • Scott Sakai
    SIGNED: 2015-10-23 15:06
  • Derek Simmel
    SIGNED: 2015-10-09 15:58
  • Adam Slagell
    SIGNED: 2015-10-08 11:15

Optional

  • Victor Hazlewood
  • Jim Marsteller
  • Gary Rogers

Withdrawn

  • Shava Smallen

Review Material Developers

Venkatesh Yekkirala
Jim Basney

Review Facilitator

JP Navarro

 

Please post your comments using the "New topic" or "Post reply" buttons in the forum below.