Friday, June 7, 2013

Pegasus & CTSC complete engagement around security for SSH credentials

CTSC recently completed one of its initial engagements: The Pegasus project is a workflow management system that supports a breadth of computational sciences including astronomy, bioinformatics, ocean science, and many more. Pegasus workflows typically operate across distributed resources and sometimes need to stage data files between compute resources to or from storage resources. Some storage resources support mechanisms that allow Pegasus to delegate to the workflow the ability to access those resources. Other storage resources don’t have this ability - e.g., resources that use secure shell (SSH).

When staging requires SSH, Pegasus currently has no choice but to send a private key with the workflow. The goal of this engagement was to examine this practice and recommend possible improvements from the perspective of cybersecurity. CTSC provided three recommendations to the Pegasus team to improve current practice: (1) If system administrators are willing, have them deploy a mechanism that supports security delegation, such as Kerberos or GSI; (2) provide assistance to users in using SSH’s ability to impose restrictions in the authorized_keys file to limit the privileges of SSH keys used for workflows; and (3) utilize ssh-agent to minimize exposure of SSH credentials in the workflow by avoiding writing those credentials to the filesystem. We also describe alternatives we considered, but do not recommend.  For more information, please see the Pegasus-CTSC Engagement Final Report, available at

Many thanks to the Pegasus team, including Ewa Deelman, Karan Vahi, Mats Rynge, and Gideon Juve, for the collaborative effort that made this work possible.

For more about how CTSC helps NSF projects visit