Project Moonshot TF-MNM

Use cases Project Moonshot 2

Grid STFC STFC operates the UK’s National Grid Service Existing X.509 authentication is too complex for users Goal to simplify authentication across distributed computing Grids “We aim to streamline access services using Moonshot technology, which will take the burden of authentication out of the hands of our users.” Dr Peter Oliver, Group Leader, Science and Technology Facilities Council 3

Console Diamond Light Source The UK’s national synchrotron facility Piloting Moonshot within the PANDATA project, which supports 30,000 scientists at 20+ photon and neutron facilities Federated access needed to physical and remote (SSH) consoles “Moonshot has thought beyond websites, and looked at what is really required in authentication – right down to the point when you open your laptop to begin work.” Bill Pulford, Head of DASC, Diamond Light Source 4

Sharing Cancer Research UK Cancer Research UK is the world’s leading charity dedicated to beating cancer through research. The institutes form ad hoc relationships to collaborate for research purposes, but when the need arises to share data and documents, each institute can only authenticate within their own organisation. “Moonshot is a valuable enabler for Cancer Research across the UK. It will make collaboration systems easy to build internally so that we can quickly share large data sets between institutes, without complicating the management of that system.” Peter Maccallum, Head of IT & Scientific Computing, CRUK Cambridge Research Institute 5

Cloud Janet Brokerage The Janet Brokerage works with the community and suppliers to provide solutions based on ‘IT as a service’, facilitating the uptake of data centre, hosted and cloud services Create efficiencies and cost savings Accelerate and improve services and add value Reduce risk in adopting new services Address technical and business questions Create a competitive market based on sound technical platforms 6

The main challenges from our customers Extend the use of federated identity to all network-connected systems, applications and services Support any deployment model: centralised, distributed & cloud Enable the use of any kind of authentication credential Supersize it! Enable this for millions of system entities and users 7

Technology overview Project Moonshot 8

Moonshot technologies Moonshot builds on the eduroam technologies EAP (RFC 3748): strong mutual authentication RADIUS (RFC 2865): federation between domains To this, Moonshot adds SAML, for rich authorisation semantics Integration using operating system security APIs SSPI: Windows GSS-API (RFC 2078): Other operating systems SASL (RFC 4422): Windows and other operating systems 9

Deployment requirements Most Higher Education organisations are nearly Moonshot-ready today A connection to eduroam A RADIUS server (any modern RADIUS product should support pre- production testing today). There is also an experimental capability to integrate FreeRADIUS with the Shibboleth IdP Moonshot client and server plug-in Linux: packaging available for Debian & RHEL; Scientific Linux soon Windows: native support using prototype plugin Mac: Packaging almost complete for Snow Leopard and Lion Moonshot Identity Selector to facilitate the selection of an identity to use, for GUI environments (Windows, Mac & Linux) 10

Architecture 11 SSH clientSSH serverRADIUS server (2) SSH negotiation(4) RADIUS (3) Authentication (1) Credentialing (5) Attributes (6) SSH session OpenSSH used as example of application; many others also apply

Application support Most modern applications use at least one of the security APIs supported by Moonshot Correctly written applications will ‘just work’ without modification or recompilation Less correctly written applications may require minor modifications Project Moonshot is testing applications and sending patches upstream 12

PuTTY  OpenSSH 13

14 IE  Apache

15 Outlook 2010  Exchange 2010

Examples of other tested scenarios OpenSSH client  OpenSSH server (GSS) OpenLDAP client  OpenLDAP server (SASL) OpenLDAP client (GSS)  Windows Active Directory (SSPI) Firefox  Apache (GSS) Internet Explorer  IIS (SSPI) MyProxy client  MyProxy server (SASL) Adium  Jabberd (SASL) Console authentication using PAM/GSS on Linux and SSPI on Windows 16

Standardisation The architecture is currently being standardised within the IETF’s ‘Abfab’ working group See for documentshttps://datatracker.ietf.org/wg/abfab The key documents are draft-ietf-abfab-arch describing the high-level architecturedraft-ietf-abfab-arch draft-ietf-abfab-gss-eap describing the core “GSS EAP” technologydraft-ietf-abfab-gss-eap draft-ietf-abfab-aaa-saml describing the use of SAMLdraft-ietf-abfab-aaa-saml

Get involved! The project is Janet-led initiative, with contributions from GÉANT and others describes installing, configuring and using Moonshot. An installable Live DVD (Debian-based) is available, in addition to Debian, CENTOS and Scientific Linux packages is our community mailing list We also have a Jabber room at

Technology pilot Project Moonshot 19

Technology pilot goals 1.To test the suitability of the Moonshot technology for deployment, focusing on e-Research use cases 1.To identity what further work is needed to support the wider community’s use of the technology 2.To plan, implement or support this additional work 20

Current status Pilot sites connected to Janet’s eduroam infrastructure Software ready for pre-production testing only Production-quality environment due Q IETF standardisation approaching completion On-going discussions with OS and application vendors 21

Future plans Project Moonshot 22

The next six months The primary activities will be Continuation of existing Technology Pilot Improvement and refinement of core software Out-reach to other stakeholders Development the final element needed for a production-ready service Completion of standardisation 23

Conclusions Moonshot provides a standardised next-generation identity & trust technology Moonshot builds on widely deployed technologies and infrastructure Moonshot provides a cross-platform implementation ready for pre- production testing Moonshot will provide the trust & identity platform for Janet’s services 24