Skip to content

SSH Authentication

Jump to bottom Edit New page
otterley edited this page Mar 3, 2011 · 11 revisions

SSH Authentication

Currently pogo only does password authentication (see issue #4). It should support doing ssh agent authentication as well, so that we no longer have to echo plaintext passwords via expect. We can also take advantage of pam_ssh_agent_auth to do privilege escalation on remote nodes. If possible, this should be made modular, so that other authentication types could be plugged in later.

password authentication model (existing)

  1. pogo-client / Pogo::Client::Commandline::run_from_commandline() prompts the user for a password, and encrypts the plaintext password with the public key used by pogo-worker.

  2. The base64-encoded encrypted password is POSTed as part of the JSON-encoded job hash object to the pogo dispatcher API.

  3. The dispatcher removes the password from the job hash, stores it in memory, and writes the job hash (minus password) into zookeeper.

  4. pogo-dispatcher / Pogo::Dispatcher::WorkerConnection->queue_task() is later invoked for each subtask, and retrieves job information and the encrypted password string from memory, sending the data over JSON-RPC to a connected worker for execution.

  5. pogo-worker . Pogo::Worker::Connection->run_command() and later ->execute() receive the job information from the hash and shells out to pogo-rexec, sending JSON-encoded task information to the process on STDIN.

  6. pogo-rexec decodes the job information and decrypts the passwords, and sets up scp and ssh commands to:

    1. scp pogo-worker-stub to the target node
    2. ssh to the target node and execute the stub
    3. ssh to the target node one last time to rm the stub

  7. the scp and ssh commands are wrapped in pogo-pw, which handles echoing the user password when appropriate

ssh-agent based authentication model (proposed)

  1. pogo-client must be modified to take the user's SSH private key and passphrase, or decrypted ssh private key, and send that with the job instead of (or in addition to) the password.

    options for enabling and disabling ssh and password auth should be available in .pogoconf

  2. pogo-rexec should be modified to either impersonate or spawn an ssh-agent (per task? per jobid?). access to the agent should be restricted as much as possible, and should not be available outside the local host.

  3. pogo-rexec should call scp / ssh with the appropriate options when using ssh or password auth (or both) by enabling only the authentication methods valid for the job. authentication should fail gracefully and obviously, outputting crapola to the host log/ui.

  4. private key information must never be written to disk, nor can must it persist in memory for longer than necessary to all possible tasks for the job.

  5. there's existing code that allows a 'run_as' user - ensure this works, write tests, etc. (has never been tested)

References

Add a custom footer
Add a custom sidebar
Clone this wiki locally