A video of the workings is at the bottom of this page.
- The user sets up an SSH session to the server
- SSH requires PAM WebSSO module, initialize authentication
- PAM module opens connection to WebSSO auth daemon
- PAM module sends random PIN code to auth daemon
- Auth daemon returns random nonce
- SSH login shows WebSSO URL+nonce
- User visits WebSSO URL+nonce SP, or
- User can fall-through to other SSH authentication methods
by pressing <enter> at this point
- This screen can be on CO website, so 'look nice'.
- The WebSSO SP will redirect the user to the
- After successful login, the WebSSO SP will display the
authentication result plus PIN and inform auth daemon
of the authentication result of the session
- auth daemon informs PAM about request result,
the connection closes
- PAM returns the authentication result
- User must enter received PIN in SSH prompt
- Depending on result, SSH allows or denies login
The PIN is to prevent the following: <bad actor> visits the machine with <good guy>@<ip-address>. He sends <good guy> some message with the LOGIN-link to make <good guy> authenticate at its IdP. After <good guy>successfully authenticaties, <bad actor> would be allowed into the machine via SSH. By introducing a PIN, this scenario is blocked.
A short video demonstrating the login flow:
The code of this module can be found at https://github.com/mrvanes/pam-websso . We have more video's at https://wiki.surfnet.nl/display/SCZ#ScienceCollaborationZoneHome-Videoanddemoyoucantryyourself .