Versions Compared

Old Version 1

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version Current

changes.mady.by.user Michael Schmidt

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

#Use this template to capture proposal for a new Incubator Activity - delete this line after using the template#

Participants

#Enter the persons who are submitter of the Activity - delete this line after using the template#
Panel
titleProposers


NameOrganisation

Mads Freek, Mikkel Hald

Deic


...

Panel
titleGN4-3 project team


NameOrganisationRole
Mads FreekDeicStakeholder, developerDeveloper
Mikkel HaldDeicStakeholder
Tangui Coulouarn DeicStakeholder
, Developer
Martin van EsGEANT / IncubatordeveloperDeveloper
Niels van DijkSURF / IncubatorStakeholderActivity Owner
Michael SchmidtLCZ LRZ / IncubatorScrum master



#Enter the persons who are internal projects or external stakeholders of this Activity - delete this line after using the template#
Panel
titleStakeholders


Name

Organisation

Role 
Markus HardtKITStakeholder
Tangui Coulouarn DeicStakeholder


Activity overview

Panel
titleDescription

Investigate and further develop SSH support for a federated world

...

Panel
titleActivity goals

To allow easy access to SSH based services DeiC has made a SSH Certificate Authority proof-of-concept that issues short-lived SSH certificates based on a federated login. The system requires no specific client - or service side installed programs and makes it possible for the user to use all standard ssh services - as long at the certificate is valid. Depending on the configuration of the participating services the CA allows the user to use the same username/uid across all services. Optionally it can be combined with systemd-userdb services to allow for fully automated user management. The CA can also optionally issue host certificates so the users do not have to trust the servers on first use (TOFU).

Activity Details

Panel
titleTechnical details

We want to further explore the possibilities for such a system:

- Is it really possible to do it without "xtra" client- or server side programs?
- Is it possible to do it the other way around - use a ssh session for web login?
- Is it possible to use a certificate as an "assertion" - optionally do auto user creation

Upon further interactions with the incubator team alternative solutions were discussed, for example SURF's pam weblogin (https://github.com/surfscz/pam-weblogin) or KIT's OIDC agent (https://indigo-dc.gitbook.io/oidc-agent/).

Initial goal of the activity is to hold a workshop to gather requirements and showcase and discuss existing solutions.

Activity Details

title
Panel

Technical details


Panel
titleBusiness case

Solving the above problems requires a lot of work, especially when dealing with a great number of researchers, or servers. Manually collecting SSH public keys from authorized users, making sure they belong to the user, and also figuring out when the user is no longer allowed to access the service is (quite) difficult.

See https://smallstep.comblog/use-ssh-certificates/ .

Federated SSO, on the other hand, scores well on the above criteria (User experience, scaling up, security) but is usually limited to the web.


#What is the business case for the Activity? Who would be beneficiaries of the results of the Activity and what would potential business case look like if applicable? - delete this line after using the template#

<Enter here>

Panel
titleRisks

#Are there risks that influence either the implementation of the activity or its outcomes? - delete this line after using the template#

<Enter here>

A potential risk is that there is not enough interest in the community for a federated SSH solution.


Panel
titleData protection & Privacy

#How do data protection and privacy impact the Activity? Think about e.g. handling of personal data of users - delete this line after using the template#

<Enter here>

The activity has no impact 


Panel
titleDefinition of Done (DoD)

#Please describe here the set of criteria that the product must meet in order to be considered finished. - delete this line after using the template#

<Enter here>

As part of this activity, the following actions will be done:

  • Host a series of workshops to investigate the use case and available solutions in the community
  • Document the workshop results and create a whitepaper that describes the problem and lists possible solutions
  • Publish the white-taper and present the lessons learned to the community


Panel
titleSustainability

#How are the results of the Activity intended to be used? If this requires further engagement, can you describe how you intent to sustain it? - delete this line after using the template#

<Enter here>

The information gathered was compiled into a white paper, which was shared with the community as an opportunity for further collaboration. A user group is to be established to deal with this subject long-term.

Activity Results

Panel
titleResults
#Please provide pointers to completed and intermediary results of this activity - delete this line after using the template#

In collaboration with interested parties a White paper on federated SSH solutions was created that was later published at GitHub.

Meetings

Minutes

Date

Activity

Owner

30.06.22

January 1, 2017

Kickoff meeting

Documents

...

1. Workshop ‘SSH in a federated world’Niels van Dijk
13.10.222. Workshop ‘SSH in a federated world’Niels van Dijk
15.12.22Incubator final demoNiels van Dijk