Operating System Passwords¶
Altair SLC Hub workloads are run using the relevant operation system (OS) user associated with a Hub user, this will either be the 'Unix Username' for Linux workers or the 'UPN' on Windows workers. By default Altair SLC Hub will use it's administrator privileges to run these workloads as the OS user without requiring the accounts password. Workloads run this way may fail to authenticate onwards to other services like network drives or database when trying to make use of this session. For situations like this Altair SLC Hub can be configured to allow the user to supply Hub with their OS user password which will then be used to start any workloads the user runs.
Security Implications
Users may create workloads on downstream worker nodes that need operating system login credentials. When this feature is enabled, the system will store an encrypted copy of the OS login password in Altair SLC Hub so that it can be used for authentication when workloads are run.
OS administrators, on the machine Hub is installed on, can access credentials which may allow them to retrieve the encrypted passwords and decryption keys.
We take several measures to mitigate the risk associated with storing passwords:
-
Encryption and isolation: in line with OWASP recommendations passwords are encrypted at rest and the encryption keys are stored separately.
-
Least privilege access: only the system components that launch workloads can access the encrypted password. It is never logged or exposed to other users.
-
Lifecycle controls: users may remove their passwords at any time and Altair SLC Hub administators may wipe all stored passwords.
This feature is optional and disabled by default, it must be explicitly configured for use by an OS administrator. When this is enabled individual users must explicitly provide their password.
Enabling password storage increases the impact of a potential security breach, because the attacker could gain access to your operating system login. Before enabling, ensure you understand these security implications and follow all recommended security practices.
Configuration¶
This functionality must be configured in the Altair SLC Hub server node configuration files, this will require the relevant configuration privileges.
To configure this, create the new file [etc directory]/config.d/ospasswords_custom.yaml and add the configuration in there.
Example configuration:
ospasswords:
enabled: true
required: false
passwordWrapExpiry: 72h
Options¶
enable(bool: false)- This controls whether or not users may store OS password for use when running workloads.required(bool: false)- Specifies whether users must provide a OS password to run workloads. If this is set to true and a user runs a workload without setting their OS password then it will fail.passwordWrapExpiry(string: "72h")- The time workload tokens to retrieve the OS password from Hub is valid for. When passwords are passed to the worker for authentication, they are passed by wrapping them with a token that has an expiry. This expiry time should be longer than the time between a workload being submitted and the workload completing.
Setting Operating System Password¶
Users can set their OS password under their account settings in the Altair SLC Hub Portal.
This can be accessed by clicking on their name in the top right and then clicking Account Settings.
Users can also clear their OS password from here.
Password Security¶
A user's OS password is not retrievable by any Altair SLC Hub users. Altair SLC Hub does expose an endpoint to check if a user has a stored password, but not to retrieve it. Only a user can set their own OS password.
Altair SLC Hub adminstrators may wipe all stored passwords using the hubctl ospassword wipe command.
OS passwords are securely stored using the Altair SLC Hub internal Vault service. The passwords themselves are encrypted using AES-256-GCM before storing them in Vault, the encryption keys are then stored in the configured database. Vault itself will store the data encrypted too.