What is ssh-oidc

It's a set of tools that allows (you guessed it) ssh with OIDC. What you might not have guessed: We go for the difficult-to-implement but simplest-to-use approach.

Usability

• No modification of ssh-client (except for Windows where we provide an extension to putty)
• No modification of ssh-server
• No need for OIDC client registration on the server
• No need to enter passwords more than once after reboot

The final usage is as simple as:

mccli ssh <hostname>

Client Installation

For testing the client, we provide a demonstration server at ssh-oidc-demo server

On the client you will need two basic tools:

• oidc-agent: To obtain oidc AccessTokens
• motley-cue command-line tool (mccli) for
  • getting AccessTokens
  • communicating with the remote motley-cue
  • Calling SSH with an AccessToken

oidc-agent

Please follow installation instructions at https://indigo-dc.gitbook.io/oidc-agent/installation

Useful commandlines for generating an oidc-agent configuration are listed here. (You may add --flow device if you run oidc-agent on a remote host.)

• EGI Check-in:

  oidc-gen --pub --iss https://aai.egi.eu/auth/realms/egi \
      --scope "openid profile email offline_access \
          eduperson_entitlement eduperson_scoped_affiliation eduperson_unique_id" egi
  

• WLCG:

  oidc-gen --pub  --issuer https://wlcg.cloud.cnaf.infn.it/ \
      --scope "openid profile offline_access wlcg.groups wlcg \
          eduperson_entitlement eduperson_scoped_affiliation " wlcg
  

• Helmholtz-AAI:

  oidc-gen --pub --iss https://login.helmholtz.de/oauth2/ \
      --scope "openid profile email offline_access \
          eduperson_entitlement eduperson_scoped_affiliation eduperson_unique_id" helmholtz
  

• Google:

  oidc-gen --pub --iss https://accounts.google.com/ --flow device  --scope max google
  

mccli

Install with

• pip install mccli

Use either of:

• mccli ssh ssh-oidc-demo.data.kit.edu --iss https://aai.egi.eu/oidc
• mccli ssh ssh-oidc-demo.data.kit.edu --oidc egi
• ACCESS_TOKEN=<access_token> mccli ssh ssh-oidc-demo.data.kit.edu

It is as simple as this!

Server Installation

Installation is mostly a matter of installing the packages:

• motley-cue and pam-ssh-oidc (or pam-ssh-oidc-autoconfig)

Packages are available at https://repo.data.kit.edu

Follow the instructions there to support the correct repository for apt or yum.

The currently supported Linuxes are:

• Debian (testing + stable + oldstable)
• Ubuntu (22.04 + 20.04 + 18.04)
• Centos (7 + 8 + Stream)
• Rockylinux (8.5)
• OpenSuse (15.4, 15.5)

Details are described in the linked chapters pam-ssh-oidc and motley-cue

Frequently Asked Questions

Are collected in our FAQ.

More Material

The public demo instance runs at ssh-oidc-demo.data.kit.edu. Further documentation is available there (https://ssh-oidc-demo.data.kit.edu)

• Installation overview
• Configuration overview

We have two presentations:

• The (short) overview: https://docs.google.com/presentation/d/18GVVwuf3Ham0PBdnVf2MJm96PUPGBU_zzglfskG9LtY
• The detailed one: https://docs.google.com/presentation/d/17HM11YjafC5VA4_o2EjNrtbRqJGgQP0q92C_uqFAM6A/edit?usp=sharing

Acknowledgements

This page documents a set of tools that have been developed in a joint effort of:

• Karlsruhe Institute of Technology (KIT)
• Poznan Supercomputing and Networking Centre (PSNC)
• EOSC-Synergy
• Praceclab PL
• Helmholtz Federated IT Services (HIFIS)
• Helmholtz Data Federation