SSH Login Plug-in

Overview

Some users would like to be able to connect to Deephaven without having to enter a username and password. One option is to use their existing SSH keys. This may be accomplished using a plug-in that will permit the existence of SSH credentials to take the place of a manually-entered username and password.

There are three components that enable SSH login:

  • The server-side authentication server plug-in.
  • The client-side non-graphical authentication plug-in.
  • The client-side graphical authentication plug-in.

Either of the client-side plug-ins will read a local key file and initiate an SSH connection to the server, then connect to a domain socket on the server, receiving a token in return that can be used in lieu of a password. The ability to connect to a domain socket on the server is itself proof of identity.

Note: the system MUST have a user with the same username as the SSH username.

Authentication Server Plug-in

This is the standard Deephaven authentication server plug-in. The client will SSH into the authentication server(s). If a user is able to make an SSH connection to the server, this confirms that the user is valid. The server will read their user ID  and return a one-time-use password.

Related Link
Please refer to the Netcat documentation for installation instructions.

It is required that Netcat (nc) be installed on the authentication server. A simple way to install Netcat, if you are using the Yum package manager, is the following command:

sudo yum install nc

Your server may use a different installation method, such as apt.

Set the iris-console properties in the in the 'service.name=authentication_server' section of iris-common.prop:

  • authentication.server.customauth.enabled must be true.
  • authentication.server.customauth.class.<name> must be set to the full name of the plug-in (io.deephaven.unixauth.SocketAuthModule).
  • authentication.server.customauth.<name>.priority must be set to some integer value indicating the priority for this authenticator. The priority indicator defines the order in which the available authentication mechanisms will be checked. The lowest priority goes first.
  • authentication.unixauth.socket is an optional property, defaulting to /tmp/deephaven-auth.sock, determining where the domain socket will be on the server that the client will connect to. Both the client and the server must have the same value for this property.
  • authentication.unixauth.tokenTimeoutMillis is an optional property, defaulting to 60000, determining how many milliseconds may pass between a client authenticating via the socket and the client confirming its identity to the authentication server.

Non-Graphical Client Plug-in

The client plug-in is a standard Deephaven client plug-in. When active, the authentication manager will automatically attempt to authenticate with the authentication server.

Upon login, the panel will open an SSH connection to the server. If the connection succeeds, the client can call a method on the authentication server to get a one-time password. The client will then close the SSH connection and submit the username and password. It is not possible to impersonate another user while using this login method.

It is required that the ssh and id command-line utilities must be available on the local system.

Set the following properties in the in the 'service.name=iris_console|interactive_console' section of iris-common.prop:

  • authentication.client.customlogin.class.<name> must be set to the full name of the client-side plug-in (io.deephaven.unixauth.clientauth.SSHClientAuthMethod). The standard username/password combination will always be included as a final login option, even when custom login classes are being used.
  • authentication.client.customlogin.priority.<name> must be set to a unique priority number for each class being used for custom login. A class with no priority listed will be treated as 'last'. Only one such class may exist. The lowest numbers will be listed first in the login method dropdown.
  • authentication.server.list must be set, with at least one of the specified addresses being a server that accepts SSH connections and is prepared to accept connections on the specified domain socket.
  • authentication.unixauth.socket is an optional property, defaulting to /tmp/deephaven-auth.sock, determining where the domain socket will be on the server that the client will connect to. Both the client and the server must have the same value for this property.
  • authentication.unixauth.port is an optional property, defaulting to the SSH standard of 22, determining what port number the client will use to connect to the server.

Graphical Client Plug-in

The graphical client plug-in will call the non-graphical client plug-in when a user clicks Login or the auto-login timer expires. The only graphical element will be a text string with the login option and any progress indicators.

It is required that the ssh and id command-line utilities must be available on the local system.

Set the following properties in the in the 'service.name=iris_console|interactive_console' section of iris-common.prop:

  • authentication.client.customlogin.class.<name> must be set to the full name of the client-side plug-in (com.illumon.iris.console.utils.WAuthenticationSSHLoginMethodPanel). The standard username/password combination will always be included as a final login option, even when custom login classes are being used.
  • authentication.client.customlogin.priority.<name> must be set to a unique priority number for each class being used for custom login. A class with no priority listed will be treated as 'last'. Only one such class may exist. The lowest numbers will be listed first in the login method dropdown.
  • authentication.server.list must be set, with at least one of the specified addresses being a server that accepts SSH connections and is prepared to accept connections on the specified domain socket.
  • authentication.unixauth.socket is an optional property, defaulting to /tmp/deephaven-auth.sock, determining where the domain socket will be on the server that the client will connect to. Both the client and the server must have the same value for this property.
  • authentication.unixauth.port is an optional property, defaulting to the SSH standard of 22, determining what port number the client will use to connect to the server.

Last Updated: 19 March 2020 10:41 -04:00 UTC    Deephaven v.1.20190816  (See other versions)

Deephaven Documentation     Copyright 2016-2020  Deephaven Data Labs, LLC     All Rights Reserved