38,760
edits
Automation in the context of multifactor authentication/en: Difference between revisions
Jump to navigation
Jump to search
Automation in the context of multifactor authentication/en (view source)
Revision as of 19:53, 11 June 2024
, 4 months agoUpdating to match new version of source page
(Updating to match new version of source page) |
(Updating to match new version of source page) |
||
| Line 1: | Line 1: | ||
<languages /> | <languages /> | ||
An automated workflow which involves some outside machine connecting to a cluster without human intervention cannot make use of a second authentication factor. In order to execute such a workflow now that MFA is a requirement, you must request access to an '''automation node'''. An automation node does not require the use of a second factor, but is much more limited than a regular login node in terms of the type of authentication it accepts and the types of actions that it can be used to perform. | |||
= Increased security measures = | = Increased security measures = | ||
== Available only by request == | == Available only by request == | ||
If you need to make use of an automated workflow for your research, contact our [[technical support]] and request access to an automation node. When contacting us, please explain in detail the type of automation you intend to use. Tell us what commands will be executed and what tools or libraries you will be using to manage the automation. | |||
== Available only through constrained SSH keys == | == Available only through constrained SSH keys == | ||
The only accepted means of authentication for the automation nodes | The only accepted means of authentication for the automation nodes is through [[SSH_Keys#Using_CCDB|SSH keys uploaded to the CCDB]]. SSH keys written in your <i>.ssh/authorized_keys</i> file are not accepted. In addition, the SSH keys <b>must</b> obey the following constraints. | ||
=== <code>restrict</code> === | === <code>restrict</code> === | ||
| Line 14: | Line 14: | ||
=== <code>from="pattern-list"</code> === | === <code>from="pattern-list"</code> === | ||
This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The | This constraint specifies that the key can only be used from IP addresses that match the patterns. This is to ensure that this key is not used from computers other than the ones intended. The pattern list must include only IP addresses that fully specify at least the network class, the network, and the subnet, which are the first three elements of an IP address, for example, <code>x.y.*.*</code> would not be accepted, but <code>x.y.z.*</code> would be accepted. Also, the IP address must be a ''public'' IP address; thus anything like <code>10.0.0.0 – 10.255.255.255</code>, <code>172.16.0.0 – 172.31.255.255</code> and <code>192.168.0.0 – 192.168.255.255</code> is incorrect. You can use a site like [https://whatismyipaddress.com/ What Is My IP Address?] or the shell command <code>curl ifconfig.me</code> to learn your public IP address. | ||
=== <code>command="COMMAND"</code> === | === <code>command="COMMAND"</code> === | ||
| Line 76: | Line 76: | ||
= IPv4 vs IPv6 issue = | = IPv4 vs IPv6 issue = | ||
When connecting to a | When connecting to a automation node the SSH client on your computer may choose to use the '''IPv6 addressing''' over the older '''IPv4'''. | ||
This seems to be more probably in Windows environment. | This seems to be more probably in Windows environment. | ||
If this is the case you have to make sure that the IP address mask you put in the <code>restrict,from=</code> field of the key | If this is the case you have to make sure that the IP address mask you put in the <code>restrict,from=</code> field of the key | ||
| Line 87: | Line 87: | ||
The possible problem is that if you put the IPv4 address mask, '''199.241.166.*''' into the CCDB SSH key, and | The possible problem is that if you put the IPv4 address mask, '''199.241.166.*''' into the CCDB SSH key, and | ||
your SSH client will be connecting the the | your SSH client will be connecting the the automation node using IPv6 address, the source address will not match the mask in the key | ||
and the key will not be accepted by the | and the key will not be accepted by the automation node. | ||
=== How to identify the problem === | === How to identify the problem === | ||
If you are having difficulties to make the SSH connection to | If you are having difficulties to make the SSH connection to an automation node work, | ||
try this test command: | |||
ssh -i ~/.ssh/automation_key -vvv username@robot.graham.alliancecan.ca "ls -l" | ssh -i ~/.ssh/automation_key -vvv username@robot.graham.alliancecan.ca "ls -l" | ||
This | This tries to connect to the automation node at Graham and execute the <code>ls -l</code> command | ||
using the <code>~/.ssh/automation_key</code> SSH key. | using the <code>~/.ssh/automation_key</code> SSH key. | ||
Then it prints the list of files in your home directory on Graham to screen. | Then it prints the list of files in your home directory on Graham to screen. | ||
This command will produce a lot of debug output due to the <code>-vvv</code> option ( | This command will produce a lot of debug output due to the <code>-vvv</code> option ("Very Very Verbose"). | ||
Look for the '''Connecting to...''' message there. | Look for the '''Connecting to...''' message there. | ||
If it says something like this: | If it says something like this: | ||
debug1: Connecting to robot.graham.alliancecan.ca [199.241.166.5] port 22. | debug1: Connecting to robot.graham.alliancecan.ca [199.241.166.5] port 22. | ||
it means | it means that IPv4 is being used. | ||
If the message is similar to | If the message is similar to | ||
debug1: Connecting to robot.graham.alliancecan.ca [2620:123:7002:4::5] port 22. | debug1: Connecting to robot.graham.alliancecan.ca [2620:123:7002:4::5] port 22. | ||
| Line 115: | Line 115: | ||
* You can make the SSH client to '''explicitly use either IPv4 or IPv6''' using the <code>-4</code> and <code>-6</code> options, respectively, to match the format you used for the key in CCDB. | * You can make the SSH client to '''explicitly use either IPv4 or IPv6''' using the <code>-4</code> and <code>-6</code> options, respectively, to match the format you used for the key in CCDB. | ||
* You can try using an '''IP address instead of the name''' to point to the | * You can try using an '''IP address instead of the name''' to point to the automation node. Using Graham example, try using the | ||
: <code>ssh -i ~/.ssh/automation_key -vvv username@199.241.166.5 "ls -l"</code> | : <code>ssh -i ~/.ssh/automation_key -vvv username@199.241.166.5 "ls -l"</code> | ||
: instead, to force SSH to use the IPv4 addresses. | : instead, to force SSH to use the IPv4 addresses. | ||
| Line 125: | Line 125: | ||
= Automation using Python and Paramiko = | = Automation using Python and Paramiko = | ||
If you are using the [https://www.paramiko.org/index.html Paramiko Python module] to automate your workflow, this is how you can make it work with the | If you are using the [https://www.paramiko.org/index.html Paramiko Python module] to automate your workflow, this is how you can make it work with the automation nodes: | ||
<source lang=python> | <source lang=python> | ||
# ==================================================================================================== | # ==================================================================================================== | ||
| Line 154: | Line 154: | ||
# ==================================================================================================== | # ==================================================================================================== | ||
</source> | </source> | ||
This code connects to the | This code connects to the automation node on '''Graham''' using an key specified in CCDB and | ||
executes the <code>ls -l</code> command to get the list of files. | executes the <code>ls -l</code> command to get the list of files. | ||
Then prints the list to the screen. | Then prints the list to the screen. | ||