Skip to end of metadata
Go to start of metadata

A video of the workings is at the bottom of this page.

Authentication flow

  • The user sets up an SSH session to the server
  • SSH requires PAM WebSSO module, initialize authentication
  • PAM module opens connection to WebSSO auth daemon
  • PAM module sends random PIN code to auth daemon
  • Auth daemon returns random nonce

  • SSH login shows WebSSO URL+nonce
  • User visits WebSSO URL+nonce SP, or
  • User can fall-through to other SSH authentication methods
    by pressing <enter> at this point

  • This screen can be on CO website, so 'look nice'.

  • The WebSSO SP will redirect the user to the
    discovery service

  • After successful login, the WebSSO SP will display the
    authentication result plus PIN and inform auth daemon
    of the authentication result of the session
  • auth daemon informs PAM about request result,
    the connection closes
  • PAM returns the authentication result

  • User must enter received PIN in SSH prompt
  • Depending on result, SSH allows or denies login

The PIN is to prevent the following: <bad actor> visits the machine with <good guy>@<ip-address>. He sends <good guy> some message with the LOGIN-link to make <good guy> authenticate at its IdP. After <good guy>successfully authenticaties, <bad actor> would be allowed into the machine via SSH. By introducing a PIN, this scenario is blocked.

A short video demonstrating the login flow:


The code of this module can be found at . We have more video's at .

  • No labels