On 2/8/2024 10:10 AM, Chris Rapier wrote:
I know that there are some methods to use federated identities (e.g.
OAuth2) with SSH authentication but, from what I've seen, they largely
seem clunky and require users to interact with web browsers to get one
time tokens. Which is sort of acceptable for occasional logins but
doesn't work with automated/scripted actions.
I'm just wondering if anyone has done any work on this or has thoughts
on it. I know it would be useful in some contexts (in my case, cross
realm access of independent yet federated services that are pretty
common in R&E HPC communities (e.g. ACCESS)).
SSH Certificates are a useful token exchange currency for AuthN (and
basic AuthZ). We can use OIDC to Hashicorp Vault in either
non-interactive mode or MFA mode (via some custom scripting) to turn
Kerberos/MFA into OIDC into Vault into an SSH certificate. Said SSH
certificate can be used directly with SSH, or via a forked pam-ussh
module (with the AuthorizedPrincipalsCommand PR) for other services.
It's kind of a winding path, but leverages our existing tooling to solve
some problems.
Fundamentally, both parties in the federation need to decide on which
AuthN transitions they're comfortable trusting. SSH certificates allow
annotation via naming conventions to denote source AuthN method, which
can then be used in AuthorizedPrincipals to determine access. e.g. Allow
someuser@TOTP but deny someuser@password.
--
Carson
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
