To be compatible with most research applications, SURF Research Access Management provides several ways to make it easy to access non-web applications, using SSH or other PAM-compliant systems, e.g., iRODS iCommands.

SSH public key authentication

The straightforward way of connecting is directly provisioning the SSH application with usernames and public SSH keys from SRAM. SRAM generates a platform unique username for each user, and users can upload and manage public SSH keys.

To make it easy for users, SRAM supports the variable {username} in the login URL. The username will be passed on to the application, if the user's browser and operating system support the ssh:// link format.

The OpenSSH server requires that a user with the username exists on the system, before the user logs in. This means the user must first be provisioned in some way before logging in.

If you use the SRAM username, which is unique to the platform, provisioning can be done via SRAM by e.g., LDAP. It's of course also possible to use different, i.e. existing, usernames to log in, provisioned by different means. In case of an existing application and user database, already provisioned by an LDAP, it is recommended to provision the LDAP server with user information from SRAM, and manage POSIX user IDs and group IDs there. SRAM cannot provide or manage POSIX user IDs and group IDs.

PAM web login

Of course, using public SSH keys has several security issues. And for novice users, they might be a hurdle to log in to your application.

SRAM offers a PAM (module), that can be used with SSH, as well as iRODS iCommands.

Read more about PAM web login.

Provisioned users

Just as with SSH public key authentication, an OpenSSH server requires the authenticating user to be provisioned on the system before the login starts, so simple just-in-time provisioning is not possible.

SRAM offers both LDAP and SCIM for provisioning. There is another option, though, described in the next paragraph.

Just-in-time provisioning

It is possible to use PAM web login to allow users to log in with a generic username, which will then be changed dynamically to the user's real username on the system. This functionality is, for now, called the PAM web login smart shell.

Instead of dropping the authenticated user into an actual shell, they are dropped into a script. That script can do things like performing look-ups and can drop the user into a shell at the end.

As an example, a script is provided that provisions a user with a username based on the SRAM username and the collaboration the user has to select (if more than one), and performs a sudo to the selected (just-in-time provisioned or existing) user with sudo --set-home --login.

iRODS iCommmands

It is also possible to use PAM web login in combination with iRODS iCommands.

The iCommands container is provisioned from SRAM with users, home directories and iRODS access for researchers in collaborations. When users connect via iCommands, the pam_interactive authentication scheme triggers an authentication flow via SRAM, either a custom SRAM token flow or standard OIDC authorization code / device code flows.

Please refer to the showcase on Github.

  • No labels