03-19, 11:30–11:55 (US/Eastern), Belfer Case Study Room (CGIS S020)
Discover how to securely connect desktop applications directly to Open OnDemand jobs using mutual TLS authentication all the way from desktop client to compute node. This technical presentation demonstrates a new proxy architecture enabling RDP, VNC, and other protocols to connect securely from desktop client programs to applications on compute nodes, with enhanced security controls missing from the current proxy implementation. It’s perfect for sites wanting to offer desktop client access while maintaining browser viewer capabilities, all with improved security.
This presentation introduces a new proxy architecture that enables secure delivery of RDP, VNC, and other protocols from OOD-launched applications (including Windows VMs in isolated network namespaces) directly to end-user desktop clients using standard open source tools and only a little glue. The client-facing side supports both time-limited one-time-use TLS certificates for desktop clients (mutual TLS authentication) and standard session authentication such as for noVNC in a browser. The internal-facing side provides flexible security options including per-job mutual TLS authentication, HTTP Basic Auth, and configurable host/port restrictions to prevent unauthorized access.
Ryan Cox is the Director of Research Computing at BYU. He has worked in the HPC field for 18 years and has contributed features to Slurm, such as the Fair Tree fairshare algorithm and pam_slurm_adopt.