SSH Key Management with COmanage
COmanage is an identity management system designed for virtual collaborations. It is possible to use COmanage Registry to allow users to upload their public SSH keys such that they can be provisioned to Unix based systems. There is no requirement for custom clients or servers, though tight integration by the VO is implied.
There are various possible configurations, but a typical one would involve leveraging federated identity to authenticate to the COmanage Registry. A user is enrolled via a self service or administrator driven process, and ties their federated identity to their enrollment record. Once the process is complete, an account identifier is selected or generated, and the user may authenticate and upload an SSH key.
SSH keys and account identifiers may then be written to LDAP (or another suitable location), and the Unix servers configured using standard PAM, NSS, SSSD, and/or SSHD configurations to read their account and authentication data from LDAP. In this manner, accounts may be provisioned and configured on the fly.
Removal of access can happen in various ways in accordance with local requirements. For example, it may be desirable to leave the Unix account information in LDAP to maintain referential integrity of file ownerships. As such, it may typically make sense to require a specific group membership (also managed by COmanage) for login access, such that when a user is no longer a member of the VO they are removed from the appropriate group in LDAP, but their Unix UID and other attributes remain in place for audit purposes.
1 Comment
Dick Visser
we'd like to have project VMs authenticate off the Geant comanage instance... that is already federated behind our SP proxy. This would yield a very scalable infrastrcutre