SSH login plugin

Some users would like to be able to connect to Deephaven without having to enter a username and password. One option is to use their existing SSH keys. This may be accomplished using a plugin that will permit the existence of SSH credentials to take the place of a manually-entered username and password.

There are three components that enable SSH login:

  1. The server-side authentication server plugin.
  2. The client-side non-graphical authentication plugin.
  3. The client-side graphical authentication plugin.

Either of the client-side plugins will read a local key file and initiate an SSH connection to the server, then connect to a domain socket on the server, receiving a token in return that can be used in lieu of a password. The ability to connect to a domain socket on the server is itself proof of identity.

Caution

The system MUST have a user with the same username as the SSH username.

img

Authentication server plugin

This is the standard Deephaven authentication server plugin. The client will SSH into the authentication server(s). If a user is able to make an SSH connection to the server, this confirms that the user is valid. The server will read their user ID and return a one-time-use password.

Note

See: Please refer to the Netcat documentation for installation instructions.

It is required that Netcat (nc) be installed on the authentication server. If you are using dnf, the following command is a simple way to install Netcat:

sudo dnf install nc

Your server may use a different installation method, such as apt.

Set the iris-console properties in the in the service.name=authentication_server section of iris-common.prop:

  • authentication.server.customauth.enabled must be true.
  • authentication.server.customauth.class.<name> must be set to the full name of the plugin (io.deephaven.unixauth.SocketAuthModule).
  • authentication.server.customauth.<name>.priority must be set to some integer value indicating the priority for this authenticator. The priority indicator defines the order in which the available authentication mechanisms will be checked. The lowest priority goes first.
  • authentication.unixauth.socket is an optional property, defaulting to /tmp/deephaven-auth.sock, determining where the domain socket will be on the server that the client will connect to. Both the client and the server must have the same value for this property.
  • authentication.unixauth.tokenTimeoutMillis is an optional property, defaulting to 60000, determining how many milliseconds may pass between a client authenticating via the socket and the client confirming its identity to the authentication server.

Non-graphical client plugin

The client plugin is a standard Deephaven client plugin. When active, the authentication manager will automatically attempt to authenticate with the authentication server.

Upon login, the panel will open an SSH connection to the server. If the connection succeeds, the client can call a method on the authentication server to get a one-time password. The client will then close the SSH connection and submit the username and password. It is not possible to impersonate another user while using this login method.

It is required that the ssh and id command-line utilities must be available on the local system.

Set the following properties in the in the service.name=iris_console|interactive_console section of iris-common.prop:

  • authentication.client.customlogin.class.<name> must be set to the full name of the client-side plugin (io.deephaven.unixauth.clientauth.SSHClientAuthMethod). The standard username/password combination will always be included as a final login option, even when custom login classes are being used.
  • authentication.client.customlogin.priority.<name> must be set to a unique priority number for each class being used for custom login. A class with no priority listed will be treated as last. Only one such class may exist. The lowest numbers will be listed first in the login method dropdown.
  • authentication.server.list must be set, with at least one of the specified addresses being a server that accepts SSH connections and is prepared to accept connections on the specified domain socket.
  • authentication.unixauth.socket is an optional property, defaulting to /tmp/deephaven-auth.sock, determining where the domain socket will be on the server that the client will connect to. Both the client and the server must have the same value for this property.
  • authentication.unixauth.port is an optional property, defaulting to the SSH standard of 22, determining what port number the client will use to connect to the server.

Graphical client plugin

The graphical client plugin will call the non-graphical client plugin when a user clicks Login or the auto-login timer expires. The only graphical element will be a text string with the login option and any progress indicators.

It is required that the ssh and id command-line utilities must be available on the local system.

Set the following properties in the service.name=iris_console|interactive_console section of iris-common.prop:

  • authentication.client.customlogin.class.<name> must be set to the full name of the client-side plugin (com.illumon.iris.console.utils.WAuthenticationSSHLoginMethodPanel). The standard username/password combination will always be included as a final login option, even when custom login classes are being used.
  • authentication.client.customlogin.priority.<name> must be set to a unique priority number for each class being used for custom login. A class with no priority listed will be treated as last. Only one such class may exist. The lowest numbers will be listed first in the login method dropdown.
  • authentication.server.list must be set, with at least one of the specified addresses being a server that accepts SSH connections and is prepared to accept connections on the specified domain socket.
  • authentication.unixauth.socket is an optional property, defaulting to /tmp/deephaven-auth.sock, determining where the domain socket will be on the server that the client will connect to. Both the client and the server must have the same value for this property.
  • authentication.unixauth.port is an optional property, defaulting to the SSH standard of 22, determining what port number the client will use to connect to the server.