Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

How to have SSH authenticate using SAML?

by cmv (Chaplain)
on Jul 30, 2009 at 18:38 UTC ( [id://784698]=perlquestion: print w/replies, xml ) Need Help??

cmv has asked for the wisdom of the Perl Monks concerning the following question:

Wise Monks:

I have a product, written in Perl, that uses ssh to do its business. I have a potential customer who has written a SAML based authentication system. The would-be customer wants me to have my product use their authentication system instead of ssh.

I'm looking for a solution that would require the least amount of work on both our parts. I am hoping to find a way to configure ssh to "just use" SAML for authentication instead-of-or-in-addition-to its other authentication mechanisms.

My first thought is that SAML is similar to Kerberos, and ssh supports Kerberos authentication via the GSSAPIAuthentication option (among others). Now I don't know much about this stuff, but I was wondering if I could have ssh use GSSAPIAuthentication to authenticate with SAML instead of Kerberos?

My research has come up with some interesting results:
Using SAML for Platform Security
SAML-AAI/Kerberos Integration
2005 Discussion on SAML using GSS-API

I ended up sending an email to Nicolas Williams about this, since he seems to be active in a lot of these discussions.

Can anybody here help me with this? Am I going down a dead-end here? Should I be trying to solve the problem in a different way?

Any thoughts, pointers, or discussion is appreciated.

Thanks

-Craig

Update:
A co-worker suggested looking into a PAM module to do this (ssh & pam work great together). I couldn't find a PAM module for SAML, but did find a java-to-pam bridge which might let me write the SAML authentication in java, and connect it up to ssh via pam.

Then I thought it would be nice to write in perl instead of java. Wouldn't you know it Authen::PAM!

Update 2:
Since perl also has Net::SAML, shouldn't it be easy to write a perl module to do this?

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://784698]
Approved by zwon
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (2)
As of 2024-03-19 03:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found