Secure access to Australia’s high performance computers

The problem

Australia’s high-performance computers (HPC) are shared research infrastructure, with researchers booking time and connecting into systems to conduct calculations and simulations. When it comes to access and security, supercomputers face challenges due to their specialised hardware, architectures, security requirements and large-scale parallel processing capabilities.

Many HPC clusters and supercomputers run on Linux-based operating systems due to their stability, performance, and open-source nature. Linux systems typically offer a powerful command-line interface (CLI), allowing users to interact with the system directly through text-based commands. This CLI is well-suited for managing and controlling HPC resources, submitting batch jobs, monitoring job status, and accessing scientific software tools.

They also use Secure Shell (SSH) Protocol which is a secure network protocol that enables encrypted communication between a client and a server over an insecure network. SSH provides strong encryption algorithms and authentication mechanisms, ensuring that data transmitted between the client and the HPC system remains confidential and secure.

Despite the advantages that CLI and the SSH connection provide, they also present several access and security challenges that inlcude:

• Authentication: Ensuring secure authentication is crucial for SSH access to supercomputers. Password-based authentication can be vulnerable to brute-force attacks if weak passwords are used or if a users’ credentials are compromised. Implementing strong authentication methods such as public-key authentication or multi-factor authentication (MFA) can enhance security by requiring additional verification steps beyond just a password.
• Key management: Public-key authentication relies on the management of cryptographic key pairs, consisting of a private key stored securely by the user and a corresponding public key stored on the server. Managing these keys securely, including generating them with sufficient entropy, protecting them from unauthorised access, and regularly rotating them, is essential for preventing unauthorized access and maintaining the integrity of SSH connections.
• User access control: Supercomputers support multiple users and projects, each with different access requirements and privileges. Implementing granular access controls based on user roles, groups, and permissions ensures that users only have access to the resources and data necessary for their work. Regularly reviewing and updating access permissions helps minimise the risk of unauthorised access and data breaches.
• Identity assurance: Identity assurance is an approach that ensures that a person’s claimed identity is their real identity. Because of the sensitivity of data and resources provided by high performance computers, they could be subject to policies (such as Defence Trade Controls Act) restricting access to these resources for certain groups of individuals. An identity assurance solution for supercomputers need to consider these requirements. Federated access can eliminate the overhead of implementing identity assurance and multifactor authentication for HPC providers.
• Federated access: Supercomputers and HPC providers work as part of a research infrastructure network. HPC users usually, have credentials linked to a research institute or a university. Being able to provide a seamless access experience for users who are working across multiple HPCs or research facilities in a secure way is another challenge faced by HPC providers.

Currently there are multiple HPC providers across the Australian research sector. Each HPC provides different workflow and access processes, and a user needs to learn different systems, environments, and workflows to be able to use each HPC. This highlights a need for federated access across these resources.

The AAF is exploring different approaches to implementing federated access across the varied resources offered by HPC facilities, considering the challenges faced by these facilities.

What we’re considering

Different HPC facilities have different procedures and tools when it comes to authentication and authorisation. However, as was mentioned, as they all commonly use Linux and are accessed through SSH and command line, any federated access solution for HPCs, will need to consider the following technical specifications:

• Integration: HPCs have a complex architecture with a specialised authentication and authorisation systems in place. Integrating federated access with existing infrastructure without disrupting the operations or compromising the security requires careful planning and coordination.
• Protocol compatibility: Ensuring the compatibility between standard authentication protocols such as SAML and OpenID Connect and SSH authentication mechanism.
• Attribute mapping and translation: Federated identity providers may use different attribute schemas and formats to represent user identities and attributes. Mapping and translating attributes between federated identity providers and SSH authentication systems requires defining consistent attribute mappings and transformation rules to ensure that user attributes are correctly interpreted and applied for access control decisions.
• Single Sign-On (SSO) integration: Federated access often involves implementing single sign-on (SSO) capabilities, allowing users to authenticate once with their identity provider and access multiple services without re-entering credentials. Integrating SSO with SSH authentication mechanisms requires developing custom solutions or leveraging existing SSO frameworks that support SSH authentication.

Use Case

Pawsey Supercomputing Research Centre

The AAF are working with the Pawsey Supercomputing Research Centre as an incubator to explore federated access to their HPC. As the incubator is currently in progress, this is a point in time reflection of our current understanding.

AAF is working with Pawsey to develop a solution for federated access to their resources. Pawsey provides HPC and data services to researchers in Australia and internationally. They host several super computers and cloud services which support a wide range of scientific and engineering applications.