topic Re: use public keys for authentication in SAS Enterprise Guide

use public keys for authentication

emsmpa — Wed, 18 Jul 2012 12:42:15 GMT

Hi,

is it possible to use a public/private key approach (like ssh) for EG?

Thanks in advance!

Re: use public keys for authentication

ChrisHemedinger — Fri, 20 Jul 2012 18:44:04 GMT

I'm not a security expert and don't know exactly what you're after, but I'll throw some facts at the question:

SAS Enterprise Guide supports use of encryption through SAS/SECURE. EG doesn't use HTTP like a web client, but uses TCP directly to talk to a remote endpoint via the SAS IOM protocol. SAS/SECURE gives you the chance to encrypt those communications using a variety of standard algorithms.
SAS Enterprise Guide can be used via VPN -- no SAS/SECURE needed. If your client machine is connected to your corporate network over the Internet but via VPN, SAS Enterprise Guide can work the same as if it was "on network". That's really not special to EG, but if you're wondering whether that works...it does.

If you need to go deeper on this, I suggest you contact SAS Technical Support.

Chris

Re: use public keys for authentication

emsmpa — Sat, 21 Jul 2012 12:20:01 GMT

Hi Chris,

thanks for your response.

I'm sorry, I should have been more specific.

SAS uses afaik a username and a password to verify/identify users in a hostbased approach (e.g. UNIX users).

UNIX users can have a openssl public key in e.g. .ssh/authorized_keys to login passwordless. They store a private key in a client like ssh client.

Is it possible to use these openssl keys of UNIX user accounts for a passwordless single-sign-on with SAS EG?

Thanks in advance!

Re: use public keys for authentication

ChrisHemedinger — Sat, 21 Jul 2012 15:03:03 GMT

You can use EG in a "single-signon" environment with UNIX systems by configuring "integrated Windows authentication" (IWA) and Kerberos. See this doc:

http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n1d1zo1jsf2o0en1ehu4c4simfky.htm

Also see the series of excellent posts by Paul Homes at:

Tag Archives: IWA | platformadmin.com

Chris

Re: use public keys for authentication

emsmpa — Tue, 07 Aug 2012 09:30:59 GMT

Thanks for your effort, Chris.

The solution provided doesn't fit to the problem.

Once I've found a solution I'll provide it here.

Re: use public keys for authentication

sagarthalwar — Tue, 08 Apr 2014 12:21:22 GMT

Hi Chris,

I have created a .NET webservice using SAS IOM 9.2. Currently I am able to connect to SAS by specfying the USERNAME and PASSWORD , but I wanted to know if webservices can have passwordless authentication to establish connection like, public key and private key auth.

Thanks in advance.

Re: use public keys for authentication

ChrisHemedinger — Tue, 08 Apr 2014 12:35:52 GMT

If you've built a .NET webservice using ASP.NET technology, you can probably use the native facilities in the framework for that (I'm not that familiar with the options). If you want the SAS Metadata Server to help authenticate you, then you need to stick to the "single signon" options that are documented in the SAS Intelligence Platform doc. Here's a reference for SAS 9.2:

SAS(R) 9.2 Intelligence Platform: Web Application Administration Guide, Fourth Edition

Chris

Re: use public keys for authentication

jakarman — Wed, 09 Apr 2014 06:18:31 GMT

@emsmpa. Your logical requirements are not clear, please describe them.

For the major approach Eguide Metadataserver Objectspawner etc. is not making any use of SSH actually SAS is replacing that by their own approach.

Passwordless SSH is known at SAS, They are using it with a clustered SAS-VA environment to fulfill synchronization of the OS-layer for several accounts that can be high priviledged or having a dedicated role as data-administrator. The high-level security awareness of SAS is not aligned to common used approaches. SSH is one of those, SSH does everal things.

- If you need encryption over the wire the SAS replacement is coming with SAS/Secure.

- If you need to eliminate passwords as common requirement with high priviledged accoutns there is challenge. SAS is putting every users/passwords in files/databases.

As you are using Unix you could try to replace the involved scripts using sudo.

- Eguide is not really positioned for automated usage as it main usage is interactive.

It has the option to have let stored the password (hashed) in the user-profile environment. That is close to the ssh public key approach.

It has the option to have stored external connection user/passwords in a local file (credentials.xml) 30917 - Scheduling projects in SAS® Enterprise Guide® this option only is applicable when doing scheduling. For normal users you will close down this option as scheduling is focussed to be done central. Never now if you want to use this in your situation.

@sagarthalwar. Building a .Net application is not building a WEB application, they are different. When you build something that way you are building a Eguide verion on your own, Eguide is a .Net application. There are functions within Windows to get the credentials. Chris give that hint and it could become tricky Five strategies to eliminate passwords from your SAS programs - The SAS Dummy. When you are needing encryption over the wire or a automatic login you could solve that in the same way Eguide does.