On 2/9/24 2:49 AM, Nico Kadel-Garcia wrote:
On Thu, Feb 8, 2024 at 1:18 PM Chris Rapier <rapier@xxxxxxx> wrote:
I know that there are some methods to use federated identities (e.g.
OAuth2) with SSH authentication but, from what I've seen, they largely
seem clunky and require users to interact with web browsers to get one
time tokens. Which is sort of acceptable for occasional logins but
doesn't work with automated/scripted actions.
Is there some reason you wouldn't simply use Kerberos, baked into
Samba and Active Directory, with the long established token handling
provided by Kerberos? Convincing Kerbers and the AD admin who may not
Largely because I'm trying to work within an existing system that has
established methodologies. The really fun part is that I'd be trying to
do this in a way that supports European R&E communities and US R&E
communities which use different methodologies and have different
organizational structures.
Prior experience with kerberos in these communities has not proven to be
fruitful. It may be worth trying to revisit that, but I don't have any
pull in transnational EU R&E HPN consortiums. They're pretty taken with
OAuth which is great if you are doing everything in a browser. The US
consortium I have more connections with but again, they're pretty taken
with web based SSOs on their science gateways.
Chris
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev