-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow pam to contact external motley cue endpoint #10
Comments
This is possible, in principle. You can run motley-cue on another machine and update the configurations to use this motley cue endpoint:
What is left is to configure how the local accounts are being managed, since motley-cue creates local accounts that need to be available on the host running the ssh server.
It definitely needs to be streamlined and tested. |
Hi @dianagudu So let see how I can fit this on my agenda to test ssh-oidc in CI/CD. |
Currently, to use ssh-oidc connection flow, is required to install server side the pam module and the service motley cue. The current flow require the client to contact the server in two open ports, one for ssh another for motley clue token endpoint and also to retrieve the user claims and translate them to posix user attributes.
This kind of setup brings more surface attack on server side, since we have 2 ports open and more software to keep on each node. I suggest for future work to improve pam module configuration, so both attributes and token could be retrieved from an external endpoint, like when using an LDAP endpoint.
A central endpoint for motley cue will also turn easier the management of multiple nodes, since, in that case, would only be required to install the pam module.
The text was updated successfully, but these errors were encountered: