Shibboleth in backend

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth in backend

prasanna1981
Dear Team,

I have query. 

When shibboleth can be used from backend activities like SVN/GIT.

Realtime Example is

1. User tried to check in files in some SCM repos like SVN or GIT
2. This should take the user to Shibboleth (IdP) where the Shibboleth should prompt for username and password in the command prompt (shell itself) and not in UI
3. When the credentials are correct, a positive sign like 'true' should be sent to the SVN call
4. Then the SVN operation will be carried out.

Is this possible

Thanks & Regards,
J Prasanna Venkatesan

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth in backend

Rod Widdowson
You’d need to explore the GSSAPI extensions, probably with ECP.

I have no idea where that all is, but last I looked the IETF RFC was still kicking around.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth in backend

Peter Schober
In reply to this post by prasanna1981
* JPrasanna Venkatesan <[hidden email]> [2018-06-29 09:29]:

> When shibboleth can be used from backend activities like SVN/GIT.
>
> Realtime Example is
>
> 1. User tried to check in files in some SCM repos like SVN or GIT
> 2. This should take the user to Shibboleth (IdP) where the Shibboleth
> should prompt for username and password in the command prompt (shell
> itself) and not in UI
> 3. When the credentials are correct, a positive sign like 'true' should be
> sent to the SVN call
> 4. Then the SVN operation will be carried out.

Passwords suck, and entering passwords for each `svn up` or `git push`
or whatever sucks even more.  So if the end results sucks I wouldn't
bother investing any effort into getting there.

Instead just use some Shib-protected web UI that allows people to
upload their SSH public key, then use SSH with keys only to access the
respositories.

That could be something simple and homegrown using OpenSSHd's
https://man.openbsd.org/sshd_config.5#AuthorizedKeysCommand
support, an example of such a command could be Joost's PoC:
https://github.com/joostd/fedSSH-poc/blob/master/ansible/ssh/files/authorized_keys
(or pull from LDAP or wherever) or you could use a full-blown
application for that: E.g. https://gogs.io/ or https://gitea.io/ can
be run behind a shib-enabled proxy (or LDAP auth, which is built-in)
and allows self-management of SSH keys, plus lots more, of course
(it's essentially a self-hosted Github clone) and comes in a single
golang binary, so can easily deployed essentially anywhere.

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]