Authentication using federated identity
Chris Rapier
rapier at psc.edu
Tue Feb 13 08:15:50 AEDT 2024
On 2/9/24 2:49 AM, Nico Kadel-Garcia wrote:
> On Thu, Feb 8, 2024 at 1:18 PM Chris Rapier <rapier at psc.edu> wrote:
>>
>> I know that there are some methods to use federated identities (e.g.
>> OAuth2) with SSH authentication but, from what I've seen, they largely
>> seem clunky and require users to interact with web browsers to get one
>> time tokens. Which is sort of acceptable for occasional logins but
>> doesn't work with automated/scripted actions.
>
> Is there some reason you wouldn't simply use Kerberos, baked into
> Samba and Active Directory, with the long established token handling
> provided by Kerberos? Convincing Kerbers and the AD admin who may not
Largely because I'm trying to work within an existing system that has
established methodologies. The really fun part is that I'd be trying to
do this in a way that supports European R&E communities and US R&E
communities which use different methodologies and have different
organizational structures.
Prior experience with kerberos in these communities has not proven to be
fruitful. It may be worth trying to revisit that, but I don't have any
pull in transnational EU R&E HPN consortiums. They're pretty taken with
OAuth which is great if you are doing everything in a browser. The US
consortium I have more connections with but again, they're pretty taken
with web based SSOs on their science gateways.
Chris
More information about the openssh-unix-dev
mailing list