Azure AD authentication for SSH

To be honest, managing authentication in Linux for multiple users/admins can be a huge pain. Different companies use various tools – generally, they use a centralized tool to distribute developer’s SSH keys. This can still be a pain, however if the company has Azure AD (or Office 365), why not to use those accounts for authentication?

One of the SSH key distribution tools is Teleport SSH server for example.

Leveraging Device Code flow

If you ever used Azure CLI (or logged in to YouTube/Spotify/Facebook on Xbox), you have already experienced a device code flow. Basically, if the client cannot offer interactive login session, the server is going to generate a short-lived (15 minute) single use code, which you can use on another device to authenticate towards the requested resource.

Device code is explained in-depth here for example or refer to the IETF’s draft.

There are some solutions in the wild, which offer Azure AD authentication however, those don’t support MFA enabled users since they expect you to type your password directly into the SSH console and then try to authenticate with it in the plaintext (using password grant). Due to the password input and lack of support for MFA, I didn’t really like those solutions.

Then suddenly, I discovered Cyclone Project’s implementation fo the PAM authentication. Built in Python and leveraging pam-python project, I decided to re-use some parts of their code.

Their federation server doesn’t directly support the device code flow, so what they do is that they boot up a tiny web server which you then access from your device and use it to login which actually mimics the device code flow in Azure AD (Azure AD leverages polling rather than running a local webserver). Thanks to Azure AD, I could remove most parts of their code and leave the heavy-lifting to ADAL for Python.

Support in other apps

One of the very nice features is that this flow is even supported in applications like WinSCP! Thanks to that, your users can also access the files using SFTP protocol.

Next Steps

Since we would like to deploy this solution to our production servers the next steps are to add support for creating user accounts (eventually add support for temporary accounts as well) for incoming users from Azure AD and some advanced RBAC support.

Try it out!

You can find a working Proof of Concept on our GitHub. Please note that the code is not production ready, however I would welcome any Pull Requests and improvements.

 

Author: Jan Hajek

I am Honza, hi. Don't forget to check out my blog at https://hajekj.net as well!

Leave a Reply