Re: Authentication using federated identity

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 





On 2/9/24 2:49 AM, Nico Kadel-Garcia wrote:
On Thu, Feb 8, 2024 at 1:18 PM Chris Rapier <rapier@xxxxxxx> wrote:

I know that there are some methods to use federated identities (e.g.
OAuth2) with SSH authentication but, from what I've seen, they largely
seem clunky and require users to interact with web browsers to get one
time tokens. Which is sort of acceptable for occasional logins but
doesn't work with automated/scripted actions.

Is there some reason you wouldn't simply use Kerberos, baked into
Samba and Active Directory, with the long established token handling
provided by Kerberos? Convincing Kerbers and the AD admin who may not

Largely because I'm trying to work within an existing system that has established methodologies. The really fun part is that I'd be trying to do this in a way that supports European R&E communities and US R&E communities which use different methodologies and have different organizational structures.

Prior experience with kerberos in these communities has not proven to be fruitful. It may be worth trying to revisit that, but I don't have any pull in transnational EU R&E HPN consortiums. They're pretty taken with OAuth which is great if you are doing everything in a browser. The US consortium I have more connections with but again, they're pretty taken with web based SSOs on their science gateways.

Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux