By Mikkel Hald, 27/10/25
DeiC and WAYF have developed a simple yet powerful software tool that connects web-based federated login with SSH access to research infrastructure.
The software serves as a bridge between two worlds: the web-based authentication that researchers already use through their university login via the federation, and the command-line access through SSH that is common for, for example, HPC systems. This extends the reach of federations beyond web-based services to also include SSH-based resources. As a result, participating in federations such as WAYF becomes even more valuable, since researchers can use their existing identity to access both web- and command-line-based research resources.
When a researcher signs in through their institution’s federated login, the tool issues an SSH certificate based on that authentication. The certificate can then be used to securely access systems that accept SSH certificates. It can include user information from the institutional login to support authorisation decisions on the target server.
Two of the major advantages of this approach are security and scalability. SSH certificates issued through web-based login come with a built-in expiration date, and access can only be renewed if the user still has a valid institutional login and is authorised to use the resource. This eliminates the problem of “stale” public SSH keys that could otherwise provide access to former users after their rights have been revoked. At the same time, resource owners no longer have to manage large collections of public keys on their servers, which makes administration far more efficient.
The key requirement is that the SSH server being accessed is configured to allow authentication only via SSH certificates — and that it trusts the Certificate Authority (CA) implemented by the DeiC software. A single server can easily trust multiple CAs, providing flexibility in collaborative environments. Setting up the SSH server is straightforward. On the user’s side, only a standard SSH client is needed — no special client software. Certificate functionality has been part of standard SSH implementations for many years, so there is no need for customised SSH servers or clients.
The result is a user-friendly, secure, and scalable solution that allows existing web-based identity management to be used directly for SSH access — without separate keys or manual certificate handling.
The software runs both a web service, which accepts logins from federated organisations (for example via WAYF), and an SSH server that the user connects to from the terminal using a command provided in the browser. When the user runs that command, an SSH certificate matching her local private key is downloaded.
The source code is freely available on GitHub — where you can also find more details on how the software works and how to install it. Also feel free to contact the WAYF Secretariat for assistance if you need it.