A few questions on Scitokens SSH.
Francesco Prelz
Hello Scitokens experts and lovers.
I blindly sent this message to 'dis...@scitokens.org' one week ago, not
realising that I had to subscribe to the group. Now that I did I'm
happy to see that there's not much activity, and that the last thread
before the 'EU' Condor week was actually on scitokens and SSH...
So: looking for a token-based (traceable to a physical user, with
capabilities and ideally single-use) ssh access solution for
administrative access to our site machines (that would vastly simplify the
compliance to current EU regulations), I was inspired by your work and
I've been trying to machete my way through reproducing a workable,
standalone setup.
I used the Hydra-based solution described here (heartfelt thanks
for this document): https://scitokens.org/technical_docs/OryHydra.
I now have a working flow that grants SSH authorisation. I have a few
residual questions though:
1) I tried to use the master of https://github.com/scitokens/scitokens-cpp.git
and found it links (as a submodule) a December 2018 snapshot
of jwt-cpp (commit c9b7a6c, apparently not connected to any version tag of
jwt-cpp). Was this state of jwt-cpp carefully researched ?
Is there any plan to rebase it, or reason not to ?
Anyhow, I did tweak scitokens-cpp to build against the current
master of https://github.com/Thalhammer/jwt-cpp.git and could
send the changes for review if needed.
2) Not being an Oauth2 priest (just a catholic deacon...), I am a bit
confused with the relation and meaning of the 'scope' vs. 'scp' claims.
Did 'scp' replace 'scope'? Can anyone please help me understand ?
Is Scitoken using and planning to keep using 'scope' ?
For now I changed the verify recipe to check 'scp' instead of 'scope'
(and ignore the "ext" and "client_id" claims).
3) Turning to https://github.com/XSEDE/oauth-ssh.git, I found that (at
least on my reasonably up-to-date Debian 10 installation) the PAM
conversation function used to read the auth token returns
1023 bytes maximum (shouldn't that be PAM_MAX_RESP_SIZE == 512, btw?).
The token I get from hydra is instead typically around
1100 bytes, so it gets chopped. I worked around this by reading the token
in chunks via multiple pam_get_item()s, but I'm wondering whether I'm
missing anything that would give me shorter tokens, or whether you bumped
into this issue already...
Thanks for your efforts in bringing order to the chaos.
Greetings from Milan, now rapidly climbing back to the viral leadership it
used to deserve...
Francesco Prelz
INFN - Sezione di Milano
Basney, Jim
I'm glad your message made it to the list this time. That's really great news that you've got SciTokens SSH working with a Hydra-based token issuer! I'll respond to your questions inline below.
> 1) I tried to use the master of https://github.com/scitokens/scitokens-cpp.git
> and found it links (as a submodule) a December 2018 snapshot
> of jwt-cpp (commit c9b7a6c, apparently not connected to any version tag of
> jwt-cpp). Was this state of jwt-cpp carefully researched ?
> Is there any plan to rebase it, or reason not to ?
> Anyhow, I did tweak scitokens-cpp to build against the current
> master of https://github.com/Thalhammer/jwt-cpp.git and could
> send the changes for review if needed.
Good question! I don't know the answer, so I'll ask Derek to fill in the details. If it's convenient for you to send your changes in a pull request, we could discuss it over on GitHub.
> 2) Not being an Oauth2 priest (just a catholic deacon...), I am a bit
> confused with the relation and meaning of the 'scope' vs. 'scp' claims.
> Did 'scp' replace 'scope'? Can anyone please help me understand ?
> Is Scitoken using and planning to keep using 'scope' ?
> For now I changed the verify recipe to check 'scp' instead of 'scope'
> (and ignore the "ext" and "client_id" claims).
The "scp" claim came from an early draft of the OAuth 2.0 Token Exchange spec, and it changed to "scope" prior to becoming RFC 8693. Replacing "scp" with "scope" throughout the SciTokens code and docs is a work-in-progress, but it's our intention to be using "scope" everywhere rather than "scp".
> 3) Turning to https://github.com/XSEDE/oauth-ssh.git, I found that (at
> least on my reasonably up-to-date Debian 10 installation) the PAM
> conversation function used to read the auth token returns
> 1023 bytes maximum (shouldn't that be PAM_MAX_RESP_SIZE == 512, btw?).
> The token I get from hydra is instead typically around
> 1100 bytes, so it gets chopped. I worked around this by reading the token
> in chunks via multiple pam_get_item()s, but I'm wondering whether I'm
> missing anything that would give me shorter tokens, or whether you bumped
> into this issue already...
Oh, I think we've just been lucky so far that our tokens have been under 1023 bytes during our testing. For example, the token I get from https://demo.scitokens.org/ is only 691 bytes. I think your fix to read the token in chunks is a good one. If you could put that in a pull request also, that'd be very welcome.
Thanks for being an early adopter and providing detailed feedback!
Regards from Champaign-Urbana,
Jim
Francesco Prelz
Hi Jim and Derek, and thank you both for your replies.
> The "scp" claim came from an early draft of the OAuth 2.0 Token Exchange
> spec, and it changed to "scope" prior to becoming RFC 8693. Replacing
> "scp" with "scope" throughout the SciTokens code and docs is a
> work-in-progress, but it's our intention to be using "scope" everywhere
> rather than "scp".
hydra. I'm using, as in the published examples, the hydra:v1.4.2 Docker
image, which is "just" 6 months old. Could a more recent version
be spitting out 'scope' instead of 'scp' ? Assuming I understand correctly
that that JSON text is composed inside hydra.
> Oh, I think we've just been lucky so far that our tokens have been under
> 1023 bytes during our testing. For example, the token I get from
> https://demo.scitokens.org/ is only 691 bytes. I think your fix to read
> the token in chunks is a good one. If you could put that in a pull
> request also, that'd be very welcome.
Heck, I just replaced my Android 'gingerbread' phone during the lockdown
because it couldn't handle TLS v1.2... Are you saying that something
replaced RCS lately ?
Thank you again!
Francesco P.
Basney, Jim
>> The "scp" claim came from an early draft of the OAuth 2.0 Token Exchange
>> spec, and it changed to "scope" prior to becoming RFC 8693. Replacing
>> "scp" with "scope" throughout the SciTokens code and docs is a
>> work-in-progress, but it's our intention to be using "scope" everywhere
>> rather than "scp".
> Hmmm: I wonder then whether I'm missing some config knob and/or update of
> hydra. I'm using, as in the published examples, the hydra:v1.4.2 Docker
> image, which is "just" 6 months old. Could a more recent version
> be spitting out 'scope' instead of 'scp' ? Assuming I understand correctly
> that that JSON text is composed inside hydra.
I wasn't aware of it until now, but it appears that ORY is also struggling with this "scp" versus "scope" naming issue. Here's a discussion about it from May:
https://github.com/ory/fosite/issues/362#issuecomment-636250680
As far as I can tell, the config knob for hydra isn't implemented yet, so they're still issuing the old "scp" claim, but hopefully they'll come into compliance with the current specifications and support "scope" soon.
Regards,
Jim