Post design and security questions and feedback in this thread.
If I'm understanding the document correctly, XSEDE will operate an OOD instance, which connects to participating XSEDE resources using SSH.
I wasn't able to tell if these SSH connections are cached (per-user, of course) so that OOD operations are multiplexed over a single login. (See: ssh_config(5) ControlMaster) If no such connection caching takes place, some OOD plugins will create a flood of SSH logins, which is very unfriendly behavior and likely to result in an IP-block.
Should such connection caching be used, subsequent invocations of ssh using the ControlMaster socket will not be subject to any authentication checks (since they're already using an authenticated connection). As MFA is not required to log in to OOD each time, a new login could gain access to a resource without using MFA if the initial ControlMaster connection is still available for use. Consequently, MFA would need to be required for each OOD login, not just for establishing an SSH session.
(Different reply, different topic)
Regarding oauth-ssh, since it's being re-visited, can it run its http(s) client transport, json parsing, and any regex operations as an unprivileged user (similar to ssh-nobody, not the actual account)? None of that has to happen as root, and those operations pose an attack surface that doesn't exist without this module.
For greater adoption across XSEDE resources, I suggest considering the use of an XSEDE SSH-CA instead (see ssh-keygen(1): CERTIFICATES) of an extra PAM module. These aren't x509 certificates, and support is built-in for all modern OpenSSH servers and clients. There'd still need to be a vetting and accreditation process for such a service, but in exchange, adding a resource is a matter of adding a file with the CA's public key, and a couple of lines to sshd_config. I have some proof-of-concept code that takes an OIDC access token and returns a user cert + key blob, if anyone is interested.
Looks good. Just one typo - in F.7, firstname.lastname@example.org should instead be email@example.com - the firstname.lastname@example.org email address doesn't exist. -Jim
From: "Chalker, Alan" <email@example.com>
Subject: RE: Review for XCI-496?
Date: March 31, 2022 at 9:56:59 AM CDT
To: "Navarro, JP" <firstname.lastname@example.org>, "Hudak, David" <email@example.com>
Our team has reviewed the document and doesn’t have any concerns / edits. The major issue is one of who will do what, particularly in light of the anticipated XSEDE -> ACCESS transition. Do you need Dave to formally do something on the website or is this email sufficient?
Alan Chalker, Ph.D.firstname.lastname@example.org
© ACCESS All Rights Reserved.
ACCESS is an advanced computing and data resource supported by the
National Science Foundation
and made possible through these lead institutions and their partners –
Carnegie Mellon University
University of Colorado Boulder
University of Illinois at Urbana-Champaign
State University of New York at Buffalo