Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Child pages
  • Draft "pain of SSH" survey
Skip to end of metadata
Go to start of metadata

Who to send the survey:
LIGO
iPlant
Neon
OOI
DataOne
Planetlab
FutureGrid?

The intent of this survey is to develop a small but comprehensive set of use cases to drive further work in "reducing the pain of SSH".

"Reducing the pain of SSH" is scoped broadly, including not only shell access by users, but higher level services and applications that integrate with SSH.

1. Basic questions:

What are your current practices for access to remote resources via ssh?

  • identity vetting and delivery of credentials
  • provisioning and deprovisioning associated accounts
  • transfer of attributes
  • key or cert generation and use
  • how resource access is managed, eg, groups and permissions

What technologies are used to do these things?

Are there any variations for non-people (devices, workflows, processes, etc.)?

Where are the pain points in your current approach?

What would you most like to change about this?

2. Specific questions

What functions today use SSH? Do they use keys or other forms of remote channel control?

Remote login
Submit jobs
Manage files
File access
other

For remote login, what clients are used and do use GSS underneath?

OpenSSH
GSISSH (used by TeraGrid & CILogin, for example)
Putty
other

3. Policy and access controls

Who gets to decide who gets what access to which resources?

Is the implementation of such decisions automated or manual?

What are your Level Of Assurance needs?

4. How high up your list of concerns is managing SSH? Do you plan to continue using SSH as a primary tool? What are your top 1-3 concerns regarding technical tools or specific technologies?


Abandoned bits:

discovery (directing a user back to the authenticating location),

How is decided what resources users get accounts on? Is that automated or manual?

How is it decided what group ids are provisioned into those accounts and what files can be accessed. Is that automated or manual?

Can the accounts on the target systems be automatically provisioned and deprovisioned? If deprovisioned, what triggers it?

  • No labels