Skip to end of metadata
Go to start of metadata


A video of the workings is at the bottom of this page.

Authentication flow

1
  • The user sets up an SSH session to the server
  • SSH requires PAM WebSSO module, initialize authentication
  • PAM module opens connection to WebSSO auth daemon
  • PAM module sends random PIN code to auth daemon
  • Auth daemon returns random nonce

2
  • SSH login shows WebSSO URL+nonce
  • User visits WebSSO URL+nonce SP, or
  • User can fall-through to other SSH authentication methods
    by pressing <enter> at this point

3
  • This screen can be on CO website, so 'look nice'.

4
  • The WebSSO SP will redirect the user to the
    discovery service

5
  • After successful login, the WebSSO SP will display the
    authentication result plus PIN and inform auth daemon
    of the authentication result of the session
  • auth daemon informs PAM about request result,
    the connection closes
  • PAM returns the authentication result

6
  • User must enter received PIN in SSH prompt
  • Depending on result, SSH allows or denies login

The PIN is to prevent the following: <bad actor> visits the machine with <good guy>@<ip-address>. He sends <good guy> some message with the LOGIN-link to make <good guy> authenticate at its IdP. After <good guy>successfully authenticaties, <bad actor> would be allowed into the machine via SSH. By introducing a PIN, this scenario is blocked.


A short video demonstrating the login flow:

pam-websso-pin3.mp4

The code of this module can be found at https://github.com/mrvanes/pam-websso . We have more video's at https://wiki.surfnet.nl/display/SCZ#ScienceCollaborationZoneHome-Videoanddemoyoucantryyourself .

  • No labels