Authentication using federated identity
Carson Gaspar
carson at taltos.org
Fri Feb 9 05:33:54 AEDT 2024
On 2/8/2024 10:10 AM, Chris Rapier wrote:
> I know that there are some methods to use federated identities (e.g.
> OAuth2) with SSH authentication but, from what I've seen, they largely
> seem clunky and require users to interact with web browsers to get one
> time tokens. Which is sort of acceptable for occasional logins but
> doesn't work with automated/scripted actions.
>
> I'm just wondering if anyone has done any work on this or has thoughts
> on it. I know it would be useful in some contexts (in my case, cross
> realm access of independent yet federated services that are pretty
> common in R&E HPC communities (e.g. ACCESS)).
SSH Certificates are a useful token exchange currency for AuthN (and
basic AuthZ). We can use OIDC to Hashicorp Vault in either
non-interactive mode or MFA mode (via some custom scripting) to turn
Kerberos/MFA into OIDC into Vault into an SSH certificate. Said SSH
certificate can be used directly with SSH, or via a forked pam-ussh
module (with the AuthorizedPrincipalsCommand PR) for other services.
It's kind of a winding path, but leverages our existing tooling to solve
some problems.
Fundamentally, both parties in the federation need to decide on which
AuthN transitions they're comfortable trusting. SSH certificates allow
annotation via naming conventions to denote source AuthN method, which
can then be used in AuthorizedPrincipals to determine access. e.g. Allow
someuser at TOTP but deny someuser at password.
--
Carson
More information about the openssh-unix-dev
mailing list