SSH Integration

A detailed documentation of all the required components to enable SSH access via OIDC with on-the-fly account provisioning can be found at: https://github.com/EOSC-synergy/ssh-oidc. A quick summary below.

PAM

You’ll need this PAM module that supports OIDC authentication by prompting the user for a token instead of a password.

You can also install it from the http://repo.data.kit.edu/ repo:

apt-get install pam-ssh-oidc
or
yum install pam-ssh-oidc

Check out the documentation for how to configure it, and make sure you set SSH to use the PAM module.

If you install the package pam-ssh-oidc-autoconfig, it will automatically configure SSH to use the PAM module.

In /etc/pam.d/sshd add on the first line:

auth     sufficient pam_oidc_token.so config=/etc/pam.d/config.ini

and configure the verification endpoint to your motley_cue instance in /etc/pam.d/config.ini:

[user_verification]
local = false
verify_endpoint = $MOTLEY_CUE_ENDPOINT/verify_user

where MOTLEY_CUE_ENDPOINT=<http://localhost:8080> with a default installation.

Finally, make sure you have in your /etc/ssh/sshd_config:

UsePam yes
# one of the following, depending on your version of OpenSSH:
ChallengeResponseAuthentication yes
KbdInteractiveAuthentication yes

Note that this may enable password based logins that you need to disable separately.

Client

To SSH into a server that supports OIDC authentication, you’ll need to trigger the deployment of a local account by calling the /user/deploy endpoint and then get the local username via /user/get_status.

Or you can have a look at mccli, an SSH client wrapper that does all this for you and can integrate with the oidc-agent.