COmanage Developers List

[Benn Oshrin <>]

On 8/19/10 4:22 PM, Steven Carmody wrote:

> I'd agree with your note -- perhaps we should change the title/handle we
> use to refer to this problem to something more like "Leveraging
> Federation to Manage the Use of SSH". Which, I think, is closer to what
> we had in mind.

I think that there are two problems here that we are interested in, but 
that are not specifically COmanage problems: Federated identity in a 
non-web context, and federated provisioning.  We might participate in 
the community process of addressing these issues, but if they were 
already solved we could happily move on.

Given that, I think it's reasonable to have OpenSSH and other specific 
technologies (eg: shell login) listed in the domestication registry, in 
the same way that we might mention that Webex doesn't support federated 
provisioning at the moment (because, well, there is no federated 
provisioning at the moment).

> (eg user has ssh key; user uses federated web site to upload key and
> associate with eppn value; admin assigns user to group(s); there are
> various privileges associated with each group (eg can SSH to service
> at site.domain.edu); assignment to such a group provisions a *nix (or
> whatever) identity at site.domain.edu and with the appropriate group
> memberships and with the user's key stored in the appropriate place).

We should probably also avoid describing the use case as "SSH".  I think 
the above is really “federated provisioning and authentication of text 
based login”.

On 8/19/10 4:29 PM, Michael R. Gettes wrote:
> This might be heresy to suggest... what about a web-based SSH?
> Does this make the problem more tractable?

Given that you still need an account at the other end to log into it 
doesn't address the federated provisioning aspect.  However, one could 
imagine that web-based SSH could do some magic to handle federated 
identity.  (Doesn't somebody already have an implementation of this?)

What about things like file transfer and job submission?

-Benn-