PoS - Proceedings of Science
Volume 458 - International Symposium on Grids & Clouds (ISGC) 2024 (ISGC2024) - Network, Security, Infrastructure and Operations
Evolution of SSH with OpenId Connect
M. Hardt*, D. Gudu, G. Zachmann and L. Brocke
Full text: pdf
Published on: October 29, 2024
Abstract
The Secure Shell Protocol (SSH) is the de-facto standard for accessing remote servers on the
commandline. Use cases include remote system administration for unix administrators, git via ssh
for developers, rsync via ssh for system backups, and HPC access for scientists. Unfortunately,
there is no globally accepted usage pattern for federated usage yet.
The large variety of users with different backgrounds and usage profiles motivated us to develop
a set of different tools for facilitating the integration with federated user identities. The main
novelty of our contribution is the integration of an ssh Certificate Authority (CA) into the existing
motley-cue + oidc-agent mechanism via a toolchain that we call "oinit". It simplifies the usage
of ssh certificates by leveraging authorisation information via established federation mechanisms.
The benefit is that – after an initial setup step – ssh may be used securely without interrupting
existing flows. This allows for example the use of rsync or git via ssh.
To enable this, oinit consists of a collection of programs to enable OpenSSH login for federated
identities based on certificates:

• The oinit-ca provides a REST interface to an ssh-ca at which authorised users obtain an
ssh certificate for a specified host or host group. Authorisation decisions are enforced by
motley-cue, the component that maps federated identities to local ones on the ssh server
side. User provisioning may also be triggered at this point, e.g. via motley-cue and feudal.
• Users employ the oinit tool to add hosts to the oinit mechanism. Once established, ssh
certificates will automatically be retrieved, whenever this may be necessary and stored in
the ssh-agent.
• Serverside tools and configuration for enabling ssh without knowledge of local usernames
("non-username operation"), which is particularly useful in federated scenarios.
In this paper we outline the basic solution and focus on on user interface optimisation with
the integration of ssh certificates.

Source code modifications of ssh are prohibitive and are not necessary with the solution described in this paper.

DOI: https://doi.org/10.22323/1.458.0023
How to cite

Metadata are provided both in "article" format (very similar to INSPIRE) as this helps creating very compact bibliographies which can be beneficial to authors and readers, and in "proceeding" format which is more detailed and complete.

Open Access
Creative Commons LicenseCopyright owned by the author(s) under the term of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.