BookmarkSubscribeRSS Feed
emsmpa
Calcite | Level 5

Hi,

is it possible to use a public/private key approach (like ssh) for EG?

Thanks in advance!

7 REPLIES 7
ChrisHemedinger
Community Manager

I'm not a security expert and don't know exactly what you're after, but I'll throw some facts at the question:

  • SAS Enterprise Guide supports use of encryption through SAS/SECURE.  EG doesn't use HTTP like a web client, but uses TCP directly to talk to a remote endpoint via the SAS IOM protocol.   SAS/SECURE gives you the chance to encrypt those communications using a variety of standard algorithms.
  • SAS Enterprise Guide can be used via VPN -- no SAS/SECURE needed.  If your client machine is connected to your corporate network over the Internet but via VPN, SAS Enterprise Guide can work the same as if it was "on network".  That's really not special to EG, but if you're wondering whether that works...it does.

If you need to go deeper on this, I suggest you contact SAS Technical Support.

Chris

Learn from the Experts! Check out the huge catalog of free sessions in the Ask the Expert webinar series.
emsmpa
Calcite | Level 5

Hi Chris,

thanks for your response.

I'm sorry, I should have been more specific.

SAS uses afaik a username and a password to verify/identify users in a hostbased approach (e.g. UNIX users).

UNIX users can have a openssl public key in e.g. .ssh/authorized_keys to login passwordless. They store a private key in a client like ssh client.

Is it possible to use these openssl keys of UNIX user accounts for a passwordless single-sign-on with SAS EG?

Thanks in advance!

ChrisHemedinger
Community Manager

You can use EG in a "single-signon" environment with UNIX systems by configuring "integrated Windows authentication" (IWA) and Kerberos.  See this doc:

http://support.sas.com/documentation/cdl/en/bisecag/63082/HTML/default/viewer.htm#n1d1zo1jsf2o0en1eh...

Also see the series of excellent posts by Paul Homes at:

Tag Archives: IWA | platformadmin.com

Chris

Learn from the Experts! Check out the huge catalog of free sessions in the Ask the Expert webinar series.
emsmpa
Calcite | Level 5

Thanks for your effort, Chris.

The solution provided doesn't fit to the problem.

Once I've found a solution I'll provide it here.

sagarthalwar
Calcite | Level 5

Hi Chris,

I have created a .NET webservice using SAS IOM 9.2. Currently I am able to connect to SAS by specfying the USERNAME and PASSWORD , but I wanted to know if webservices can have passwordless authentication to establish connection like, public key and private key auth.

Thanks in advance.

ChrisHemedinger
Community Manager

If you've built a .NET webservice using ASP.NET technology, you can probably use the native facilities in the framework for that (I'm not that familiar with the options).  If you want the SAS Metadata Server to help authenticate you, then you need to stick to the "single signon" options that are documented in the SAS Intelligence Platform doc.  Here's a reference for SAS 9.2:

SAS(R) 9.2 Intelligence Platform: Web Application Administration Guide, Fourth Edition

Chris

Learn from the Experts! Check out the huge catalog of free sessions in the Ask the Expert webinar series.
jakarman
Barite | Level 11

@emsmpa. Your logical requirements are not clear, please describe them.

For the major approach Eguide Metadataserver Objectspawner etc. is not making any use of SSH actually SAS is replacing that by their own approach.

Passwordless SSH is known at SAS, They are using it with a clustered SAS-VA environment to fulfill synchronization of the OS-layer for several accounts that can be high priviledged or having a dedicated role as data-administrator.  The high-level security awareness of SAS is not aligned to common used approaches. SSH is one of those, SSH does everal things.

- If you need encryption over the wire the SAS replacement is coming with SAS/Secure.

- If you need to eliminate passwords as common requirement with high priviledged accoutns there is challenge. SAS is putting every users/passwords in files/databases.

  As you are using Unix you could try to replace the involved scripts using sudo.

- Eguide is not really positioned for automated usage as it main usage is interactive.

  It has the option to have let stored the password (hashed) in the user-profile environment. That is close to the ssh public key approach.

  It has the option to have stored external connection user/passwords in a local file (credentials.xml)  30917 - Scheduling projects in SAS® Enterprise Guide® this option only is applicable when doing scheduling.  For normal users you will close down this option as scheduling is focussed to be done central. Never now if you want to use this in your situation.  

     

@sagarthalwar. Building a .Net application is not building a WEB application, they are different. When you build something that way you are building a Eguide verion on your own,  Eguide is a .Net application. There are functions within Windows to get the credentials. Chris give that hint and it could become tricky Five strategies to eliminate passwords from your SAS programs - The SAS Dummy. When you are needing encryption over the wire or a automatic login you could solve that in the same way Eguide does. 

---->-- ja karman --<-----

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

SAS Enterprise Guide vs. SAS Studio

What’s the difference between SAS Enterprise Guide and SAS Studio? How are they similar? Just ask SAS’ Danny Modlin.

Find more tutorials on the SAS Users YouTube channel.

SAS Training: Just a Click Away

 Ready to level-up your skills? Choose your own adventure.

Browse our catalog!

Discussion stats
  • 7 replies
  • 3068 views
  • 0 likes
  • 4 in conversation