A detailed documentation of all the required components to enable SSH access via OIDC with on-the-fly account provisioning can be found at: https://github.com/EOSC-synergy/ssh-oidc. A quick summary below.
You’ll need this PAM module that supports OIDC authentication by prompting the user for a token instead of a password.
You can also install it from the http://repo.data.kit.edu/ repo:
apt-get install pam-ssh-oidc or yum install pam-ssh-oidc
Check out the documentation for how to configure it, and make sure you set SSH to use the PAM module.
If you install the package pam-ssh-oidc-autoconfig, it will automatically configure SSH to use the PAM module.
/etc/pam.d/sshd add on the first line:
auth sufficient pam_oidc_token.so config=/etc/pam.d/config.ini
and configure the verification endpoint to your motley_cue instance in
[user_verification] local = false verify_endpoint = $MOTLEY_CUE_ENDPOINT/verify_user
where MOTLEY_CUE_ENDPOINT=<http://localhost:8080> with a default installation.
Finally, make sure you have in your
UsePam yes # one of the following, depending on your version of OpenSSH: ChallengeResponseAuthentication yes KbdInteractiveAuthentication yes
Note that this may enable password based logins that you need to disable separately.
To SSH into a server that supports OIDC authentication, you’ll need to trigger the deployment of a local account by calling the
/user/deploy endpoint and then get the local username via
Or you can have a look at mccli, an SSH client wrapper that does all this for you and can integrate with the