It's a set of tools that allows (you guessed it) ssh with OIDC. What you might not have guessed: We go for the difficult-to-implement but simplest-to-use approach.
- No modification of ssh-client (except for Windows where we provide an extension to putty)
- No modification of ssh-server
- No need for OIDC client registration on the server
- No need to enter passwords more than once after reboot
The final usage is as simple as:
mccli ssh <hostname>
For testing the client, we provide a demonstration server at ssh-oidc-demo server
On the client you will need two basic tools:
- oidc-agent: To obtain oidc AccessTokens
- motley-cue command-line tool (
mccli
) for- getting AccessTokens
- communicating with the remote motley-cue
- Calling SSH with an AccessToken
Please follow installation instructions at https://indigo-dc.gitbook.io/oidc-agent/intro
Useful commandlines for generating an oidc-agent configuration are listed
here. (You may add --flow device
if you run oidc-agent on a remote
host.)
- EGI Check-in:
oidc-gen --pub --iss https://aai.egi.eu/auth/realms/egi \ --scope "openid profile email offline_access \ eduperson_entitlement eduperson_scoped_affiliation eduperson_unique_id" egi
- WLCG:
oidc-gen --pub --issuer https://wlcg.cloud.cnaf.infn.it/ \ --scope "openid profile offline_access wlcg.groups wlcg \ eduperson_entitlement eduperson_scoped_affiliation " wlcg
- Helmholtz-AAI:
oidc-gen --pub --iss https://login.helmholtz.de/oauth2/ \ --scope "openid profile email offline_access \ eduperson_entitlement eduperson_scoped_affiliation eduperson_unique_id" helmholtz
- Google:
oidc-gen --pub --iss https://accounts.google.com/ --flow device --scope max google
Install with
pip install mccli
Use either of:
mccli ssh ssh-oidc-demo.data.kit.edu --iss https://aai.egi.eu/oidc
mccli ssh ssh-oidc-demo.data.kit.edu --oidc egi
ACCESS_TOKEN=<access_token> mccli ssh ssh-oidc-demo.data.kit.edu
It is as simple as this!
Installation is mostly a matter of installing the packages:
motley-cue
andpam-ssh-oidc
(orpam-ssh-oidc-autoconfig
)
Packages are available at https://repo.data.kit.edu
Follow the instructions there to support the correct repository for apt or yum.
The currently supported Linuxes are:
- Debian (testing + stable + oldstable)
- Ubuntu (22.04 + 20.04 + 18.04)
- Centos (7 + 8 + Stream)
- Rockylinux (8.5)
- OpenSuse (15.4, 15.5)
Details are described in the linked chapters pam-ssh-oidc and motley-cue
Are collected in our FAQ.
The public demo instance runs at ssh-oidc-demo.data.kit.edu. Further documentation is available there (https://ssh-oidc-demo.data.kit.edu)
We have two presentations:
- The (short) overview: https://docs.google.com/presentation/d/18GVVwuf3Ham0PBdnVf2MJm96PUPGBU_zzglfskG9LtY
- The detailed one: https://docs.google.com/presentation/d/17HM11YjafC5VA4_o2EjNrtbRqJGgQP0q92C_uqFAM6A/edit?usp=sharing
This page documents a set of tools that have been developed in a joint effort of:
- Karlsruhe Institute of Technology (KIT)
- Poznan Supercomputing and Networking Centre (PSNC)
- EOSC-Synergy
- Praceclab PL
- Helmholtz Federated IT Services (HIFIS)
- Helmholtz Data Federation