One aspect of this issue is letting GSS-API choose the target username.
For example, in TeraGrid my username is different across the different
sites, and I rely on an OpenSSH patch to allow the client to specify an
empty string as username. Quoting RFC 4462:
The user name may be an empty string if it can be deduced from the
results of the GSS-API authentication.
This way I don't need to remember what my username is at each site. I
just let GSS-API take care of it. The OpenSSH bug about it, with a patch
I attached in 2006, is here:
https://bugzilla.mindrot.org/show_bug.cgi?id=1100
-Jim
On 5/13/11 9:51 AM, Jason Lander wrote:
> I saw Josh Howletts' presentation on the progress with Moonshot at a
> recent meeting of the HPC Special Interest Group. My background is in
> HPC and Grid computing.
>
> Firstly, I must say that what you have achieved so far is very impressive.
>
> What I am less sure about is how the HPC and Grid community would be
> able to use it.
>
> One potential use for Moonshot is to provide federated SSH access. This
> would be of particular interest to the HPC community.
>
> It would be seen by many as a great improvement over the current Grid
> solution - GSI enabled SSH using X509 certificates for authentication.
>
> What I, and some of my colleagues, are unclear about is how the
> authentication information used by moonshot can be mapped to a LOCAL
> account.
>
> In the grid world, there are many ways in which the information within
> the X509 certificate is mapped to a unique username. Some are able to
> call out to an external service to perform the mapping using XAML as a
> mechanism.
>
> All the practical use cases require a unique identifier of some sort.
>
> The Moonshot wiki says:
>
> If the mechanism returns the local-login-user attribute (typically mapped
> using Shibboleth from a SAML attribute or RADIUS attribute), then that
> attribute controls what local accounts are acceptable
>
> According to discussions with Josh and with our local RADIUS
> administrator - the standard practise is for the RADIUS server to
> release NO information that uniquely identifies a user.
>
> Josh did mention that SAML assertions could also be generated, but I was
> not clear on what would be doing the generating.
>
> So... I'm afraid that I do not understand where how the local-login-user
> attribute will be defined when using Moonshot and SSH.
>
> I think Josh and Rob Allan at the Daresbury Labs were trying to organise
> a meeting between those who do AAA on the grid and some of the Moonshot
> developers.
>
> - Jason
|