Authentication using federated identity

Carson Gaspar carson at taltos.org
Fri Feb 9 05:33:54 AEDT 2024


On 2/8/2024 10:10 AM, Chris Rapier wrote:
> I know that there are some methods to use federated identities (e.g. 
> OAuth2) with SSH authentication but, from what I've seen, they largely 
> seem clunky and require users to interact with web browsers to get one 
> time tokens. Which is sort of acceptable for occasional logins but 
> doesn't work with automated/scripted actions.
>
> I'm just wondering if anyone has done any work on this or has thoughts 
> on it. I know it would be useful in some contexts (in my case, cross 
> realm access of independent yet federated services that are pretty 
> common in R&E HPC communities (e.g. ACCESS)).

SSH Certificates are a useful token exchange currency for AuthN (and 
basic AuthZ). We can use OIDC to Hashicorp Vault in either 
non-interactive mode or MFA mode (via some custom scripting) to turn 
Kerberos/MFA into OIDC into Vault into an SSH certificate. Said SSH 
certificate can be used directly with SSH, or via a forked pam-ussh 
module (with the AuthorizedPrincipalsCommand PR) for other services.

It's kind of a winding path, but leverages our existing tooling to solve 
some problems.

Fundamentally, both parties in the federation need to decide on which 
AuthN transitions they're comfortable trusting. SSH certificates allow 
annotation via naming conventions to denote source AuthN method, which 
can then be used in AuthorizedPrincipals to determine access. e.g. Allow 
someuser at TOTP but deny someuser at password.

-- 

Carson




More information about the openssh-unix-dev mailing list