State of the commandline

Marcus Hardt

Apr 2026

Authentication Tools

oidc-agent

  • Swiss army knife tool for OIDC on the commandline
  • Runs an “authorization code” or “device code” flow to obtain a Refresh Token (RT)
  • Stores the RT safely on a users workstation
  • Obtain an Access Token (AT) whenever needed
  • New neat tool: oidc-tokensh --oidc <OP>
    • Makes sure a fresh AT is in ${XDG_RUNTIME_DIR}/bt_u${UID}
  • Only Problem: Runs on users workstation

mytoken

  • “… an oidc-agent in the cloud …” –/– “… a proxy for RTs …”
  • Auth code flow runs on a server (e.g. https://mytok.eu)
  • Returns a mytoken token (MT), which
    • is the crypto key for the RT on the server
    • is a jwt that contains Capabilities and Restrictions (json lists)
  • This allows:
    • Sending the MT with a job
    • Restricting the token to be used
      • Only at job-start and job-end time
      • Only from a list of countries
    • Cababilities allow mytoken specific features
      • Manage mytokens
      • Create subtokens
      • Modify token settings

Integration Tools

motley-cue

A weird daemon doing all kinds of things behind the scenes

  • Verifies AT
  • Understands authorisation
    • Multi-OP, entitlements, assurance
  • Maps federated-ID to local-unix
    • Usernames (several options)
    • Groupnames (even more options)
  • Provisions user (several backends: ldap, boinsai-ldap, rest, local_unix)
    • Informs about provisioned username
  • Admin Interface for security incidents (e.g. for central suspension)
  • One Time Password support (workaround for openssh 1k password limit)

        .

oinit

The new kid on the block

  • Originally: “think kinit
  • Integration with ssh-certificates
  • Four tools:
    • oinit-ca: an online-ca for ssh-certificates
      • Contacts motley-cue for username + provisioning
    • oinit-switch: ssh-serverside for automatic username
    • oinit-shell: ssh-serverside for added security
    • oinit: client side tool for automated ssh-certificate handling
  • How oinit finds tokens:
    • env $BEARER_TOKEN
    • file ${XDG_RUNTIME_DIR}/bt_u${UID}
    • file /tmp/bt_u${UID}
    • socket oidc-agent
    • prompt user

oinit

The new kid on the block

  • Originally: “think kinit
  • Integration with ssh-certificates
  • Four tools:
    • oinit-ca: an online-ca for ssh-certificates
      • Contacts motley-cue for username + provisioning
    • oinit-switch: ssh-serverside for automatic username
    • oinit-shell: ssh-serverside for added security
    • oinit: client side tool for automated ssh-certificate handling
  • How oinit finds tokens:
    • env $BEARER_TOKEN
    • file ${XDG_RUNTIME_DIR}/bt_u${UID}
    • file /tmp/bt_u${UID}
    • socket oidc-agent
    • prompt user
Usage is trivial:
1. Tell ssh that host is under oinit control:
    oinit add <ssh-server-fqdn> [<ssh-ca url>]
~/.ssh/config:
Match exec "oinit match %h %p"
    User oinit
    IdentityFile ~/.ssh/oinit_%h_%p
    CertificateFile ~/.ssh/oinit_%h_%p-cert.pub
2. run ssh:
    ssh <ssh-server-fqdn>
marcus@hank:~$ ssh ssh-oidc-web.data.kit.edu
[1] https://aai-dev.egi.eu/auth/realms/egi (Accounts: egi-dev)
[2] https://aai.egi.eu/auth/realms/egi (Accounts: egi, egi-checkin, egi2)
[3] https://accounts.google.com (Accounts: google, google2, google3)
[4] https://auth.didmos.nfdi-aai.de (Accounts: didmos)
[5] https://fels.scc.kit.edu/oidc/realms/fels (Accounts: delme-kit?)
[6] https://iam.deep-hybrid-datacloud.eu
[7] https://infraproxy.nfdi-aai.dfn.de
[8] https://keycloak.sso.gwdg.de/auth/realms/academiccloud (Accounts: academic-id)
[9] https://login-dev.helmholtz.de/oauth2 (Accounts: helmholtz-dev)
[10] https://login.aai.lifescience-ri.eu/oidc
[11] https://login.helmholtz.de/oauth2
[12] https://oidc.scc.kit.edu/auth/realms/kit (Accounts: kit, kit-delme)
[13] https://proxy.eduteams.org (Accounts: eduteams)
[14] https://proxy.myaccessid.org
[15] https://wlcg.cloud.cnaf.infn.it
? Please select a provider to use [1-15]: 2
X11 forwarding request failed on channel 0
mhardt@ssh-oidc-web:~$

webssh

For those wo don’t want to install software

  • Simple web-page + oidc-login (auth code flow) to get AT
  • Use AT to contact
    • motley-cue (supported OPs)
    • oinit-ca (get ssh-certificate)
    • ssh (for shell)
  • Demonstrator available here:
  • Provides commandline and certificates for download, too

ALISE

Account linking in wonderland

  • Tool to link local-site account with federated identity
    • Addresses typical HPC site policy problems in a practical way
  • Linkage information available via REST insterface
  • Planned work:
    • make motley-cue look-up alise - usernames
  • Early adopters:
    • dCache
    • teapot