search for: oidc

Hello, I have an issue with debug logging when using a custom plugin for Dovecot. In my plugin, I create a child event of the session's user event: ```c struct event *plugin_event = event_create(list->ns->user->event); event_set_name(plugin_event, "oidc_shared_mailboxes_plugin"); event_set_min_log_level(plugin_event, LOG_TYPE_WARNING); event_set_append_log_prefix(plugin_event, "oidc-shared-mailboxes-plugin: "); ``` I then use passthrough events like the following: ``` e_debug(event_create_passthrough(data->event)->event(), &...

Practically speaking, most popular IAM and SSO solutions offer OIDC SAML tokens but do not offer Kerberos tickets.? OpenID Connect is a standard which itself is based on RFC6749 (OAuth2). This provides a compelling reason to support it in addition to Kerberos.? I'll also note that OIDC tokens are easy to validate without a bidirectional trust relationship...

I know that there are some methods to use federated identities (e.g. OAuth2) with SSH authentication but, from what I've seen, they largely seem clunky and require users to interact with web browsers to get one time tokens. Which is sort of acceptable for occasional logins but doesn't work with automated/scripted actions. I'm just wondering if anyone has done any work on this or

On Thu, Feb 8, 2024 at 1:18?PM Chris Rapier <rapier at psc.edu> wrote: > > I know that there are some methods to use federated identities (e.g. > OAuth2) with SSH authentication but, from what I've seen, they largely > seem clunky and require users to interact with web browsers to get one > time tokens. Which is sort of acceptable for occasional logins but > doesn't

...query this information? The inventory system tracks hosts rather than users, but I don't see a big problem putting the user-group relationship into LDAP, even if it only writes out a flat file periodically. However, the system which issues the certs needs to be able to do the mapping from OIDC claims to SSH cert principals.? I've just been looking at step-ca and I don't see a way to do that.? I haven't looked at cashier yet, and I only just learned of gsh. Regards, Brian.

On 07/03/23, Darren Tucker (dtucker at dtucker.net) wrote: > On Tue, 7 Mar 2023 at 05:26, Andy Lutomirski <luto at kernel.org> wrote: > [...] > > ssh_config contains a Match ... exec [command to refresh the certificate]. > > This sort of works, except that it runs the command far too frequently. > > For example, ssh -O exit [name] refreshes the certificate, and it

Hello, I am trying to work out the best way to issue SSH certificates in such way that they only allow access to specific usernames *and* only to specific groups of host. As a concrete example: I want Alice to be able to login as "alice" and "www" to machines in group "webserver" (only). Also, I want Bob to be able to login as "bob" and

...limit. I started having this problem with Dovecot version 2.3.2.1. After which I updated to the latest version of Dovecot (2.3.9.2) to see if that would fix my problem. However I'm still experiencing the same issue. For a bit of context; We use Dovecot with Open-Xchange where users login via OIDC, get a token and then use that token with Dovecot with the 'oauthbearer' auth method. However users can also login via a username / password combo stored in LDAP for clients that don't support 'oauthbearer' (ie. about all the mail clients ;-). We run Dovecot on SmartOS (ie. Illu...