Relying on OpenID Connect (OIDC) for identity and access management can significantly simplify the process of providing access to users, especially for non-web applications such as Secure Shell (SSH) where the management of typically used SSH keys is often laborious and error-prone.
As a counterpart to the server-side components that enable SSH via OIDC , the client-side tools allow users to directly log into a server with their federated credentials via valid OIDC Access Tokens, without any prior application for an account:
oidc-agentis a set of command-line tools that enable users to obtain and manage OIDC Access Tokens. It follows the design of the ssh-agent and, as such, it can be easily integrated into the user's flow.
mccliis a command-line wrapper for the SSH client that is able to retrieve OIDC tokens and use them to log into the SSH server without further user interaction.
These tools are developed for Linux and macOS. This contribution aims to present the efforts to fill in the gap of missing OIDC client functionality for Windows, with potentially major impact due to the widespread use of Windows in the target user communities (e.g. HPC).
The project consists of two parts. First, the
oidc-agent was ported to Windows. This subtask is significant since the
oidc-agent is a tool with broad applicability, for any use case that involves programmatic use of OIDC tokens. In the second part of the project, we integrated the
oidc-agent with PuTTY --- one of the most famous SSH clients for Windows. Users are able to choose between using SSH with pageant (PuTTY's ssh key manager), or using SSH with OIDC-tokens against an OIDC-capable ssh-server.
|Topic||Security, Trust & Identity|