 |
 |
Hi all, one topic that has come up quite often with us is forwarding of the moonshot authentication over SSH. An example usecase: A user SSHs in to our cluster. On the cluster the user wants to check out data from iRODS. Both the SSH and iRODS these use moonshot. Currently, to my knowledge, the user could not use moonshot for the iRODS part, since there is no equivalent to the "-A/-X" flag when using an SSH, and the GSS negotiation would have to be node from the cluster node. I assume this could be done in a few ways. First, I don't know if it works in the moonshot case but apparently SSH can delegate GSS credentials with the ssh option GSSAPIDelegateCredentials However, even if it worked, I assume that this would be a horrible option, since not only would the remote site get your credentials, it would get your home organization credentials. Is there any way to tunnel GSS negotiations to the original host (the users laptop)? Or can this be done somehow within GSS-EAP? I understand that GSS-EAP talks to moonshot-UI using dbus. If it is possible to use the dbus session over an SSH tunnel, could this help? Or, for example, is the TTLS tunnel between the GSS-EAP module and your home radius, and the moonshot-UI just provides the credentials to the GSS-EAP module? In this case we would be back to giving your credentials to the remote site. Or are there any other methods how this could work? Or is my GSS understanding sufficiently lacking so that these ideas make no sense? Cheers, Kalle