PAM weblogin

Introduction

Some research applications offer a command line interface (CLI), like SSH or iRODS. Techniques such as SAML and OIDC, which are used for federated authentication through a web browser, are ill-suited for use on a CLI. For SURF Research Access Management, SURF has developed a solution: a pluggable authentication module (PAM) for CLI applications which allows them to use two factor federated authentication and single sign-on.

Please read the blog introducing PAM web login for more information.

Ready to give it a try?

Refer to the how to connect a PAM web login application.

Installation

Edit /etc/pam.d/sshd as follows (add the line above @include common-auth)

# PAM configuration for the Secure Shell service

auth required /usr/local/lib/security/pam_weblogin.so /etc/pam-weblogin.conf
# Standard Un*x authentication.
@include common-auth

Set the following configurations in /etc/ssh/sshd_config and restart sshd

PubkeyAuthentication yes
PasswordAuthentication yes
AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive
ChallengeResponseAuthentication yes
UsePAM yes

SCP and SFTP

scp and sftp both work flawless when using PAM weblogin as a PAM requirement in SSH config:

$ scp roadrunner.png weblogin:/home/martin/roadrunner.png
(martin@weblogin) Hello martin. To continue, visit http://localhost:8080/pam-weblogin/login/UkGEcDMe and enter verification code
Verification code: 
Authenticated on attribute uid
roadrunner.png                                                                                            100%  100KB  36.6MB/s   00:00

$ sftp weblogin
(martin@weblogin) Hello martin. To continue, visit http://localhost:8080/pam-weblogin/login/HWSsbKqQ and enter verification code
Verification code: 
Authenticated on attribute uid
Connected to weblogin.
sftp> put roadrunner.png 
Uploading roadrunner.png to /home/martin/roadrunner.png
roadrunner.png                                                                                            100%  100KB  18.3MB/s   00:00

Using SSH session multiplexing:

Edit ssh config and add the following Host configuration

Host weblogin
  ControlPath ~/.ssh/cm-%r@%h:%p
  ControlMaster auto
  ControlPersist 10m

First login:

$ ssh weblogin
(martin@weblogin) Hello martin. To continue, visit http://localhost:8080/pam-weblogin/login/f3oXpndf and enter verification code
Verification code: 
Authenticated on attribute uid
Linux weblogin 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue May 23 09:50:59 2023 from 192.168.56.1
martin@weblogin:~$

Check session socket:

$ ls -sla .ssh/cm-*
0 srw------- 1 martin martin 0 May 23 09:51 .ssh/cm-martin@weblogin:22

Then reconnect using the socket:

$ ssh weblogin
Last login: Tue May 23 09:51:21 2023 from 192.168.56.1
martin@weblogin:~$

The same works for scp and sftp:

$ scp roadrunner.png weblogin:/home/martin/roadrunner.png
roadrunner.png                                                                                            100%  100KB  33.8MB/s   00:00

$ sftp weblogin
Connected to weblogin.
sftp>

SmartShell

The user logs in using a dedicated functional account (e.g. sram@server) that has a specific SRAM script (weblogin.py) configured as shell. This script will eventually sudo to the authenticated SRAM user, potentially combined with a group (CO) name to facilitate correct budgeting.

PlantUML diagram

$ ssh sram@weblogin
(sram@weblogin) Hello sram. To continue, visit http://localhost:8080/pam-weblogin/login/BBIThDo6 and enter verification code
Verification code: 
(sram@weblogin) Authenticated on attribute username

What group are you operating for?
  [1] A CO with the beautiful name AAA
  [2] A CO named BBB
  [3] A CO named CCC!
  [4] A CO named DDD?

Select group: 4
Linux weblogin 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct  6 09:50:23 2023 from 192.168.56.1
adduser: The user `sram_coddd' already exists.
sram_coddd@weblogin:~$

SCP and SFTP using Smart Shell

scp and sftp will work with the PAM weblogin Smart Shell solution.

SSHFS via Smart Shell

$ ls sshfs/

$ sshfs sram@weblogin: sshfs/
(sram@weblogin) Hello sram. To continue, visit http://localhost:8080/pam-weblogin/login/0zrRCrT2 and enter verification code
Verification code: 
(sram@weblogin) Authenticated on attribute username

What group are you operating for?
  [1] A CO with the beautiful name AAA
  [2] A CO named BBB
  [3] A CO named CCC!
  [4] A CO named DDD?

Select group: 4

$ scp roadrunner.png sram@weblogin:
(sram@weblogin) Hello sram. To continue, visit http://localhost:8080/pam-weblogin/login/XAJnMnB7 and enter verification code
Verification code: 
(sram@weblogin) Authenticated on attribute username

What group are you operating for?
  [1] A CO with the beautiful name AAA
  [2] A CO named BBB
  [3] A CO named CCC!
  [4] A CO named DDD?

Select group: 4
roadrunner.png                                                                                                                                                                      100%  100KB  25.2MB/s   00:00    

$ ls sshfs/
roadrunner.png

$

Space shortcuts

Page tree