Overview
Review the design and security elements of an upgrade GSI OpenSSH that prepares XSEDE for OpenSSL 1.1
Review Summary
Clarified questions:
- OpenSSH is not compatible (yet) with OpenSSL 1.1.x, so we will not build/test against OpenSSL 1.1.x
- We are only using distro-maintained OpenSSL
- We will release other Globus packages that have the same set of dependencies as this GSI OpenSSH
Revised design elements:
- We will build from OpenSSH 7.3p1, or OpenSSH 7.4p1 if HPN and ISSHD (NERSCmode) patches are available
Review Input Documents
GSiOpenSSH Design/Security Description:
Review Criteria
Criteria 1: Package versions
- Do the new version of base OpenSSH, HPN, or NERSCmod introduce any risks that need to be mitigated?
Criteria 2: Compatibility
- Will the OpenSSL 1.1.x transition support interoperate as required with older and newer version of (GSI) OpenSSH?
Criteria 3: Usage scenarios
- Are the following server, client, and hub login scenarios supported as required?
- Scenario 1: User logs into SP from SSO Hub
- Scenario 2: User logs into SP from another SP
- Scenario 3: Expert user logs into SP from own machine
Schedule
Current Date: 2023-05-28Current Status: Closed (Design and Security Review)
| Target Date | Actual Date | Activity Milestone |
|---|---|---|
| 2017-01-05 | Review launch date | |
| 2017-01-13 | 2017-01-18 | Written feedback due (Reviewers) |
| 2017-01-17 | 2017-01-18 | Written response date (Review Material Developers) |
| 2017-01-20 | 2017-01-18 | Final approval due and completion date (Reviewers) |
Review Last Updated: 2017-01-18 11:58 am
Reviewers
If you are a reviewer, please login to sign or withdraw from this review.
Required
- John-Paul Navarro
SIGNED: 2017-01-18 14:55 - Scott Sakai
SIGNED: 2017-01-14 16:44
Optional
- Victor Hazlewood
- Lee Liming
SIGNED: 2017-01-11 13:54 - Jim Marsteller
- Derek Simmel
SIGNED: 2017-01-06 12:06 - Adam Slagell
- Shava Smallen
SIGNED: 2017-01-13 10:53
Review Facilitator
John-Paul Navarro
