Master Portal sshkey endpoint
The MasterPortal server has an extra OIDC-protected end-point, /sshkey, which provides an API for storing SSH public keys on the MasterPortal. These SSH public keys can be used to obtain proxy certificates from the MasterPortal, provided a long-lived proxy certificate is present. This wiki page describes the available Master Portal API for managing the SSH keys. See also Instructions for VO Portal developers for information on how to register a client.
Additionally the MasterPortal also has a (non OIDC-protected) end-point /sshkeylisting for retrieving a flat list of username / publickey pairs. This latter endpoint is typically only accessible from certain hosts and intended for use by the ‘SSH host’ to build up its AuthorizedKeysCommand.
For a demo client, see the AARC Pilot - SSH Key Portal. This client can be used by end-users as a self-service portal.
A valid request consists of the following parameters:
|access_token||OIDC access_token, used for obtaining the username, mandatory for any request.|
|client_id||Mandatory for actions add and update. When specified it needs to match that belonging to the access_token|
|action||Specifies what to do, valid values are given below, mandatory for any request|
|label||Indicates the label for the specific public key, used for identifying it.|
|description||A user can optionally add a description for the public key|
|pubkey||The actual SSH public key.|
Valid action are the following
|Parameter||Description||Parameters other than access_token|
|add||Add a new key|| Mandatory: client_id, client_secret, pubkey |
Optional: label, description
|update||Update existing key|| Mandatory: client_id, client_secret, label |
Optional: description, pubkey
|remove||Remove existing key||Mandatory: label|
|get||Retrieve specific key||Mandatory: label|
|list||Retrieve list of all keys for user||-|
The actions get and list return a JSON formatted list of key(s) to the user. The other actions do not return user output.
- A key is identified using the pair username / label, where username is obtained using the provided access_token. When a key is added without specifying a label, a unique one is created using the prefix ssh-key- followed by a unique sequence number.
- A certain public key must be unique for all users, i.e. may only occur once in the ssh_keys table in the oa2server database.
- Each user may have at most 5 public keys registered, the maximum being configurable in the server config file (/var/www/server/conf/cfg.xml) file via <sshkeys max="5"/>