Speakers
Description
Traditional SSH key-based authentication presents significant scalability
and security challenges in modern federated research environments,
particularly regarding key distribution, lifecycle management, and access
revocation. This paper presents ssh-oidc, a novel approach that integrates
OpenID Connect (OIDC) authentication with SSH certificate-based access
control for scientific computing infrastructures. The system replaces
permanent SSH keys with time-limited certificates issued by an online
Certificate Authority (CA) that validates OIDC tokens from federated
identity providers.
Our implementation leverages three key components: motley-cue for identity
mapping and user provisioning, oinit as an online CA for automated
certificate issuance, and oidc-agent (or similar) for token management. The
system enables fine-grained authorisation through OIDC claims including
institutional affiliation, project entitlements, and identity assurance
levels, allowing differentiated access policies for various user
categories and security requirements.
Evaluation in research environments demonstrates significant
administrative overhead reduction while maintaining security through
centralised access control and automatic credential lifecycle management.
The approach integrates seamlessly with existing federated identity
infrastructures including eduGAIN and institutional identity providers,
enabling cross-institutional collaboration without compromising security
or requiring extensive infrastructure modifications. This solution
addresses critical authentication challenges in contemporary distributed
research computing environments.