Introduction

A common requirement for research organizations is to provide access via SSH to command line tools hosted on Unix-based systems. Provisioning and deprovisioning the accounts required for access, and leveraging the researcher's existing credentials to authenticate the access, are common challenges in providing this access.

Goals

Leverage COmanage to enroll a researcher to a collaboration, collect the researcher's SSH public key, and create a Unix account for the researcher.

1. Configure an Enrollment Flow to allow a researcher to join a collaboration.
2. Configure an LDAP provisioner to write Unix account information to LDAP.
3. Enroll the researcher.
4. Upload the researcher's SSH keys.
5. Login to the unix server as the researcher.

Architecture and Components

The major components involved in this pilot are

• COmanage Registry, used to manage participant registration in the collaboration
  • SQL database backend, used by COmanage
• UNIX Server, on which the command line tools run and to which the researcher desires access
• Home IdP, used by the researcher to authenticate to the collaboration
• SP Proxy and OpenConext, used to manage connectivity to federated identity and other authentication services
• LDAP Server, provisioned by COmanage and used by the UNIX Server as a source of account information

Configuration

This section assumes that each component is already installed and configured for basic connectivity.

LDAP Server

The following schemas must be enabled on the LDAP server, if not already enabled:

• posixAccount (RFC 2307)

• ldapPublicKey (ie: https://github.com/AndriiGrytsenko/openssh-ldap-publickey/blob/master/misc/openssh-lpk-openldap.schema)

COmanage

First, set up a suitable enrollment flow for onboarding participants. Various configurations are possible, but a typical configuration might be Self Signup With Approval:

• Petitioner Enrollment Authorization: Authenticated User
• Identity Matching: None
• Require Approval For Enrollment: Yes
• Email Confirmation Mode: Review
• Require Enrollee Authentication: Yes
• Notify On Approved Status: Yes
• Enrollment Attributes
  • Name, Official, Organizational Identity, Copy To CO Person, Required
  • Email, Official, Organizational Identity, Required
  • Affiiliation
  • Other attributes as desired

Next, configure identifier assignment. Because the Unix account provisioning support is currently experimental, it is necessary to use identifier assignment to set up some of the attributes used by the posixAccount schema. (It may be necessary to define some of these types as extended types before the identifier assignments can be configured.) Sample identifier assignments:

• uidNumber, minimum: 2000, format: (#)
• gidNumber: Use the same configuration as uidNumber (which means each user will get their own group; this is a requirement of the PoC implementation)
• homeDirectory: format: /home/(g:7)(#)
• uid: format: (g:7)(#)

Finally, configure a provisioning target using the LDAP provisioner. Enable both posixAccount and ldapPublicKey objectclasses, but be sure to read the notes in the documentation for considerations and restrictions.

Unix VM

Configure the VM to read account information from LDAP, according to the installed distribution and local requirements. Here are some pointers:

• https://wiki.debian.org/LDAP/NSS
• https://wiki.ubuntu.com/Enterprise/Authentication/sssd

Only name service information should be collected via LDAP as passwords will not be written to LDAP. (Make sure to have a way to login as root and/or sudo, and test that before logging out.) Authentication will instead be handled by SSH. Depending on the installed version, a helper script may or may not be required:

• https://github.com/AndriiGrytsenko/openssh-ldap-publickey
• https://linux.die.net/man/8/ssh-ldap-helper

Usage

xxx enroll, upload ssh keys, login to VM

Resources

• SSH Key Proof of Concept Screencast

• COmanage documentation