Automation in the context of multifactor authentication: Difference between revisions
(Created page with "{{Draft}} Automated workflows which connect to the clusters without a human being present can not make use of a second factor. We are therefore deploying dedicated login nodes to be used for that purpose. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used for. = Increased security restrictions = == Availa...") |
No edit summary |
||
Line 1: | Line 1: | ||
{{Draft}} | {{Draft}} | ||
Automated workflows which connect to the clusters without a human being present can not make use of a second factor. We are therefore deploying dedicated login nodes to be used for that purpose. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used | Automated workflows which connect to the clusters without a human being present can not make use of a second factor. We are therefore deploying dedicated login nodes to be used for that purpose. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform. | ||
= Increased security restrictions = | = Increased security restrictions = | ||
== Available only by request == | == Available only by request == | ||
Users who need to make use of automated workflows for their research must first contact our [[Technical support]] to be allowed to use these nodes. When contacting us, please explain in | Users who need to make use of automated workflows for their research must first contact our [[Technical support]] to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation. | ||
== Available only through restricted SSH keys == | == Available only through restricted SSH keys == | ||
The only accepted mean of authentication to the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <tt>.ssh/authorized_keys</tt> file are not accepted. In addition, the SSH keys <b>must</b> | The only accepted mean of authentication to the automation nodes will be through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <tt>.ssh/authorized_keys</tt> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. | ||
=== <tt>restrict</tt> constraint === | === <tt>restrict</tt> constraint === | ||
Line 16: | Line 16: | ||
=== <tt>command="COMMAND"</tt> constraint === | === <tt>command="COMMAND"</tt> constraint === | ||
The <tt>command="COMMAND"</tt> constraint forces the command <tt>COMMAND</tt> to be executed when the connection is established. This is so that you may restrict which | The <tt>command="COMMAND"</tt> constraint forces the command <tt>COMMAND</tt> to be executed when the connection is established. This is so that you may restrict which commands can be used with this key. | ||
== Convenience wrapper scripts to use for <tt>command=</tt> == | == Convenience wrapper scripts to use for <tt>command=</tt> == |
Revision as of 15:10, 19 October 2023
This is not a complete article: This is a draft, a work in progress that is intended to be published into an article, which may or may not be ready for inclusion in the main wiki. It should not necessarily be considered factual or authoritative.
Automated workflows which connect to the clusters without a human being present can not make use of a second factor. We are therefore deploying dedicated login nodes to be used for that purpose. These nodes will not require the use of a second factor, but will be otherwise much more limited than regular login nodes in terms of the type of authentication they accept and the type of action that they can be used to perform.
Increased security restrictions
Available only by request
Users who need to make use of automated workflows for their research must first contact our Technical support to be allowed to use these nodes. When contacting us, please explain in detail the type of automation you intend to use as part of your workflow. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation.
Available only through restricted SSH keys
The only accepted mean of authentication to the automation nodes will be through SSH keys uploaded to the CCDB. SSH keys written in your .ssh/authorized_keys file are not accepted. In addition, the SSH keys must obey the following constraints.
restrict constraint
This constraint disables port forwarding, agent forwarding, and X11 forwarding. It also disables the pseudo teletype (PTY), blocking most interactive workload. This constraint is required because these automation nodes are not intended to be used to start long-running or interactive processes. Regular login nodes must be used for this.
from="pattern-list" constraint
The from="pattern-list" constraint specifies that this key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The pattern list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first 3 sections of an IP address. For example, 192.168.*.* would not be accepted, but 192.168.1.* would be accepted.
command="COMMAND" constraint
The command="COMMAND" constraint forces the command COMMAND to be executed when the connection is established. This is so that you may restrict which commands can be used with this key.
Convenience wrapper scripts to use for command=
command constraints can specify any command, but they are most useful when using a wrapper script which will accept or reject commands based what command is being called. You can write your own script, but for convenience, we provide a number of such scripts which will allow common actions. These scripts are defined in this git repository.
- /cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh will allow only file transfers, such as scp, sftp or rsync.
- /cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/archiving_commands.sh will allow commands to archive files, such as gzip, tar or dar.
- /cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/file_commands.sh will allow commands to manipulate files, such as mv, cp or rm.
- /cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/git_commands.sh will allow the git command.
- /cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh will allow some Slurm commands, such as squeue, sbatch.
- /cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/allowed_commands.sh will allow all of the above.
Examples of accepted SSH keys
Accepted SSH keys must include all 3 of the above constraints to be accepted. Here are examples of SSH keys that would be accepted: For example, the following key would be accepted, and could only be used for transferring files (through scp, sftp or rsync for example):
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/transfer_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw
while this one would only allow Slurm commands: For example, the following key would be accepted, and could only be used for transferring files (through scp, sftp or rsync for example):
restrict,from="216.18.209.*",command="/cvmfs/soft.computecanada.ca/custom/bin/computecanada/allowed_commands/slurm_commands.sh" ssh-ed25519 AAAAC3NzaC1lZDI1NTE6AACAIExK9iTTDGsyqKKzduA46DvIJ9oFKZ/WN5memqG9Invw