Speaker
Description
SSH access is an essential and standard building block of all HPC environments. In the last few years, more and more groups have focused on security, operability, and user experience issues of this access, for example: a user is responsible to create and manage his SSH keys, rekeying is hard to manage, and in the end, keys are used permanently, TOFU (trust on the first use) is always approved; almost nobody checks the key fingerprint of the host, hostnames can’t be reused, which leads to the change of the fingerprint when this happens and the key distribution across the infrastructure is complex and clumsy The Core AAI Platform solves these problems by introducing support for signed SSH keys (SSH certificates) in addition to the commonly used SSH keys. SSH certificates are signed by a trusted Certification Authority and then be used to access any machine without significant changes in the configuration on the hosts’ side. At the same time, the CLI tools for users could be very lightweight and straightforward to use. We would like to demonstrate this new capability of the GEANT Core AAI Platform that is already being used on the MyAccessID Service. In the demo, you will see how a user of the MyAccessID service can obtain and use a short-lived SSH Certificate while authenticating via federated identity. We will show you a working scenario, how things can be configured, and discuss all open questions we still have.
