PAM weblogin

Notice

The examples and use cases described here are intended to show the different ways SURF Research Access Management can be used and connected to application. These examples and use cases are not always validated by SURF.

Introduction

Some research applications offer a command line interface (CLI), like SSH or iRODS. Techniques such as SAML and OIDC, which are used for federated authentication through a web browser, are ill-suited for use on a CLI. For SURF Research Access Management, SURF has developed a solution: a pluggable authentication module (PAM) for CLI applications which allows them to use two factor federated authentication and single sign-on.

Please read the blog introducing PAM web login for more information.

Ready to give it a try?

Refer to the how to connect a PAM web login application.

Installation

Edit /etc/pam.d/sshd as follows (add the line above @include common-auth)

# PAM configuration for the Secure Shell service

auth required /usr/local/lib/security/pam_weblogin.so /etc/pam-weblogin.conf
# Standard Un*x authentication.
@include common-auth

Set the following configurations in /etc/ssh/sshd_config and restart sshd

PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive
ChallengeResponseAuthentication yes
UsePAM yes

SCP and SFTP

scp and sftp both work flawless when using PAM weblogin as a PAM requirement in SSH config:

$ scp roadrunner.png weblogin:/home/martin/roadrunner.png
(martin@weblogin) Hello martin. To continue, visit http://localhost:8080/pam-weblogin/login/UkGEcDMe and enter verification code
Verification code: 
Authenticated on attribute uid
roadrunner.png                                                                                            100%  100KB  36.6MB/s   00:00

$ sftp weblogin
(martin@weblogin) Hello martin. To continue, visit http://localhost:8080/pam-weblogin/login/HWSsbKqQ and enter verification code
Verification code: 
Authenticated on attribute uid
Connected to weblogin.
sftp> put roadrunner.png 
Uploading roadrunner.png to /home/martin/roadrunner.png
roadrunner.png                                                                                            100%  100KB  18.3MB/s   00:00

Using SSH session multiplexing:

Edit ssh config and add the following Host configuration

Host weblogin
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlMaster auto
  ControlPersist 10m

First login:

$ ssh weblogin
(martin@weblogin) Hello martin. To continue, visit http://localhost:8080/pam-weblogin/login/f3oXpndf and enter verification code
Verification code: 
Authenticated on attribute uid
Linux weblogin 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 23 09:50:59 2023 from 192.168.56.1
martin@weblogin:~$

Check session socket:

$ ls -sla .ssh/cm-*
0 srw------- 1 martin martin 0 May 23 09:51 .ssh/cm-martin@weblogin:22

Then reconnect using the socket:

$ ssh weblogin
Last login: Tue May 23 09:51:21 2023 from 192.168.56.1
martin@weblogin:~$

The same works for scp and sftp:

$ scp roadrunner.png weblogin:/home/martin/roadrunner.png
roadrunner.png                                                                                            100%  100KB  33.8MB/s   00:00

$ sftp weblogin
Connected to weblogin.
sftp>

SmartShell

The user logs in using a dedicated functional account (e.g. sram@server) that has a specific SRAM script (weblogin.py) configured as shell. This script will eventually sudo to the authenticated SRAM user, potentially combined with a group (CO) name to facilitate correct budgeting.

PlantUML diagram

$ ssh sram@weblogin
(sram@weblogin) Hello sram. To continue, visit http://localhost:8080/pam-weblogin/login/BBIThDo6 and enter verification code
Verification code: 
(sram@weblogin) Authenticated on attribute username

What group are you operating for?
  [1] A CO with the beautiful name AAA
  [2] A CO named BBB
  [3] A CO named CCC!
  [4] A CO named DDD?

Select group: 4
Linux weblogin 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct  6 09:50:23 2023 from 192.168.56.1
adduser: The user `sram_coddd' already exists.
sram_coddd@weblogin:~$

SCP and SFTP using Smart Shell

scp and sftp will work with the PAM weblogin Smart Shell solution.

SSHFS via Smart Shell

$ ls sshfs/

$ sshfs sram@weblogin: sshfs/
(sram@weblogin) Hello sram. To continue, visit http://localhost:8080/pam-weblogin/login/0zrRCrT2 and enter verification code
Verification code: 
(sram@weblogin) Authenticated on attribute username

What group are you operating for?
  [1] A CO with the beautiful name AAA
  [2] A CO named BBB
  [3] A CO named CCC!
  [4] A CO named DDD?

Select group: 4

$ scp roadrunner.png sram@weblogin:
(sram@weblogin) Hello sram. To continue, visit http://localhost:8080/pam-weblogin/login/XAJnMnB7 and enter verification code
Verification code: 
(sram@weblogin) Authenticated on attribute username

What group are you operating for?
  [1] A CO with the beautiful name AAA
  [2] A CO named BBB
  [3] A CO named CCC!
  [4] A CO named DDD?

Select group: 4
roadrunner.png                                                                                                                                                                      100%  100KB  25.2MB/s   00:00    

$ ls sshfs/
roadrunner.png

$

Page tree