Enabling Secure Shell Access with OpenID Connect

Secure Shell (SSH) is the de facto standard protocol for accessing remote servers on the command line across a number of use cases, including remote system administration, high-performance computing access, git operations, or system backups via rsync. However, it only supports a limited number of authentication mechanisms, with SSH keys being the most widely used. As federated infrastructures become more prevalent, there is a growing demand for SSH to operate seamlessly and securely in such environments. The use of SSH keys in federated setups poses a number of challenges, since the keys are trusted permanently and can be shared across devices and teams. Mitigations, such as key approval and distribution, make operation at scale complex and error prone. This motivated us to develop a set of tools, collectively referred to as ssh-oidc, for facilitating federated identities with SSH by making use of OpenID Connect (OIDC), one of the established protocols used in federated identity management. We support two different approaches: one based on PAM authentication, which works by passing an OIDC access token to the SSH server for authentication, and the other one utilising SSH certificates, which are issued by our online certificate authority in exchange for an access token. ... mehrBoth approaches rely on a central component, motley_cue, to handle the mapping of federated identities to Unix accounts on the ssh-server, authorisation, and just-in-time account provisioning. This tool integrates well with user management systems and policies. We also provide client-side tools that automate the process of obtaining and storing the necessary credentials, and ensure a single sign-on experience for the user.