Ticket #543 (new task)

Opened 6 years ago

Last modified 6 years ago

allow / always generate an SSH keypair from a user's cert

Reported by: ahelsing Owned by:
Priority: major Milestone:
Component: clearinghouse Version:
Keywords: Cc:
Dependencies:

Description

From Hussam:

GEMINI requires is that the user also has the public SSH key generated using the cert's private key uploaded in the slivers

for example ssh-keygen -y -f <your cert+privatekey file> >>your_public_key 

Where we have your private key, we could generate this SSH keypair. Should we always do this? And if we don't have your private key, do we warn experimenters, particularly those that try to use GEMINI?

Change History

Changed 6 years ago by ahelsing

Hmm.

  1. Portal users are allowed to upload their own public SSH key, never giving the portal their private SSH key. That is a security feature, for those that care.
  2. When we have SpeaksFor?, GEMINI will no longer be given the user's private SSL key. So it cannot expect to reproduce the user's SSH keys.

Could GEMINI instead receive from the portal an SSH keypair to use? The portal could generate such a keypair (not based on the SSL keys, and different for each user of GEMINI).

Emailed Hussam.

Changed 6 years ago by ahelsing

Hussam says:

Yes this will work too. As long as we get the private SSH key whose corresponding public key is placed on the compute resources, we are fine. The only catch here is : Are the keys encrypted or unencrypted ? We prefer unencrypted. 

Changed 6 years ago by nriga

I am not sure how having the portal generate a separate key, for which the portal has stored the private key, and install the public key to all your nodes is more secure than creating a public key based on your cert private key, if it has it anyway.

Note: See TracTickets for help on using tickets.