Authentication using federated identity

Chris Rapier rapier at
Tue Feb 13 08:15:50 AEDT 2024

On 2/9/24 2:49 AM, Nico Kadel-Garcia wrote:
> On Thu, Feb 8, 2024 at 1:18 PM Chris Rapier <rapier at> wrote:
>> I know that there are some methods to use federated identities (e.g.
>> OAuth2) with SSH authentication but, from what I've seen, they largely
>> seem clunky and require users to interact with web browsers to get one
>> time tokens. Which is sort of acceptable for occasional logins but
>> doesn't work with automated/scripted actions.
> Is there some reason you wouldn't simply use Kerberos, baked into
> Samba and Active Directory, with the long established token handling
> provided by Kerberos? Convincing Kerbers and the AD admin who may not

Largely because I'm trying to work within an existing system that has 
established methodologies. The really fun part is that I'd be trying to 
do this in a way that supports European R&E communities and US R&E 
communities which use different methodologies and have different 
organizational structures.

Prior experience with kerberos in these communities has not proven to be 
fruitful. It may be worth trying to revisit that, but I don't have any 
pull in transnational EU R&E HPN consortiums. They're pretty taken with 
OAuth which is great if you are doing everything in a browser. The US 
consortium I have more connections with but again, they're pretty taken 
with web based SSOs on their science gateways.


More information about the openssh-unix-dev mailing list