Add integration tests for MFA-enabled SSH/Slurm container #60
Conversation
|
Results of some testing with paramiko and oath:
def _parse_userauth_failure(self, m):
authlist = m.get_list()
# TODO 4.0: we aren't giving callers access to authlist _unless_ it's
# partial authentication, so eg authtype=none can't work unless we
# tweak this.
partial = m.get_boolean()
if partial:
self._log(INFO, "Authentication continues...")
self._log(DEBUG, "Methods: " + str(authlist))
self.transport.saved_exception = PartialAuthentication(authlist)It might be possible with the help of paramiko devs to enable this route, otherwise we could make a specialised If 2. was implemented, I think this would give us everything required to use 2FA (as long as its based on OATH), as jobflow could mimic the user running an app on a mobile phone for auth. Of course, the problem with this is is that it presumably breaks the usage terms of the supercomputers that use 2FA (which in some cases might be actually illegal too? 😅) |
|
I managed to connect with password+OPT using paramiko with this code: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("mfahost.example.com", 22))
ts = paramiko.Transport(sock)
ts.start_client(timeout=10)
ts.auth_interactive_dumb(user)from here. This prompts for both. I did not test it, but in principle it should be possible to replace However, I would rather not offer a standardized way of automatically generating the OTP by storing the secret locally, unless this is a policy generally approved by the clusters. I imagine that such an approach will make the OTP generation pointless from the point of view of the administrators. While we cannot prevent individual users from hacking their way through, the administrators will likely disapprove if we actively document and support tools that break their policies. Maybe we can get in touch with the administrators of a few computing centers and check before proceeding with this approach? |
Nice, my attempts were to essentially trigger the call to the "dumb" route using the normal SSHClient but I didn't really get anywhere.
I think reaching out is a good idea. Whilst this should never be the default, I'm sure some enterprising individuals would try this anyway so it might be good to have a proper encrypted store version built-in to jobflow. If the first login when launching a runner still required the TOTP then this is somehow spiritually the same as trusting Google or whoever with your secret key... |
|
This has gone stale |
Related to #58.
This PR adds a test environment for an MFA-enabled SSH/Slurm worker. It uses the google-authenticator-libpam wrapper for Ubuntu to set up time-based MFA on the default
jobflowuser, with a pre-defined emergency backup code (which can only be used for one login without container rebuild).Currently, the tests fail, but should probably be upgraded to instead ensure that sensible errors are returned for the MFA enabled worker.
This is hopefully a somewhat realistic emulation of an MFA-enabled supercomputer (perhaps excluding the backup codes), and can be used to test potential future workarounds involving multiplexing or otherwise.
Note, as stated in the Dockerfile.slurm.mfa header, although the two integration test dockerfiles are the same except for the final build stage, as the Docker Python SDK does not support BuildKit (docker/docker-py#2230), we cannot use multi-stage builds here.