Versions Compared

Old Version 5

changes.mady.by.user Michal Stava

Saved on

compared with

New Version 6

changes.mady.by.user Michal Stava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Terminal access is considered by the hosting side as an advanced access method and thus requires two-factor authentication. The user authenticates on their devices with both factors and after successful authentication, they can return to the terminal where they have logged on to the access node. What has happened is that when the user authenticates on their device, they authorize their terminal process to retrieve an access token that is bound to the user’s identity. The SSH login process received the access token and invoked the OAuth2-protected API of the SSH Certification Authority (CA). The CA API verified the identity of the user by using OAuth2 Introspection, and since the user had the appropriate rights, it issued a short-lived SSH certificate that was sent back as the API response. The SSH login flow used this SSH certificate to authenticate at the SSH service running on the remote access node. The SSH service on the access node recognized that the SSH client presented an SSH certificate that was signed by a trusted CA, verified the validity of the certificate, and then used the MyAccessID identifier of the user from the certificate and mapped the user to the appropriate local POSIX account.

Section


Column
width30%

SSH Certificate

In general,

...

It is a

...

public SSH

...

key signed by a trusted Certification Authority

...

. This authority also provides verified metadata, which can be used to identify and authorize the user in the environment. It also contains information about the validity, so the whole key expires after some time, and a new one needs to be provided. This validity can be set to a very short one, which leads to short-lived SSH certificates similar to a login session. The biggest advantage of this solution is the standard support of SSH certificates in the infrastructure environment. For a standard SSH key (a), the SSH certificate will look similar to this one (b).


Column
width10%



Column
width60%

a) Image Added

b) Image Added




Who can use it?

The Federated SSH CA capability is provided for all users and infrastructures connected to MyAccessID.

...