oidc-agent
  • Introduction
  • Quickstart
  • Migrating to oidc-agent 5
  • Installation
    • Linux
    • MacOS
    • Windows
  • Configuration
    • oidc-agent Directory
    • General Configuration
    • Custom Request Parameter
    • Configuration of Providers
    • oidc-agent Integration
    • Agent Forwarding
  • Usage
    • oidc-agent
      • Starting oidc-agent
      • General Usage
      • Detailed Information About All Options
    • oidc-agent-service
    • oidc-keychain
      • General Usage
      • Detailed Information About All Options
    • oidc-gen
      • General Usage
      • Detailed Information About All Options
      • Integrate With Different Providers
        • B2Access
        • EGI
        • Elixir
        • Google
        • HBP
        • Helmholtz AAI
        • IAM (INDIGO/DEEP)
        • KIT
        • Any Other Provider
        • Known Issues
        • Client Configuration Values
    • oidc-add
      • General Usage
      • Detailed Information About All Options
    • oidc-token
      • General Usage
      • Detailed Information About All Options
    • oidc-tokensh
      • General Usage
      • Detailed Information About All Options
    • Other Applications Using oidc-agent
    • Tips
    • oidc-agent-server
  • Windows
    • Installation
  • MAC OS
    • State of Feature Support
    • Installation
  • Security
    • Privilege Separation & Architecture
    • Account Configuration Files
    • Credentials
    • Memory
    • Agent Locking
    • Communication
    • Encryption Passwords
    • Autounload (Lifetime)
    • User Confirmation
    • Tracing
    • seccomp
    • Final Note
  • API
    • liboidc-agent4
    • liboidcagent-go
    • liboidcagent-py
    • IPC-API
Powered by GitBook
On this page
  • Client
  • Server
  1. Configuration

Agent Forwarding

When using ssh to connect to a remote server, you may also need to receive access tokens from the local agent. This is possible by forwarding the UNIX domain socket used for communicating with the agent.

This needs a client and server side configuration. Both configurations can be done by a local user.

Client

This can be done using the -R option of ssh (e.g. with ssh -R /tmp/oidc-forward:$OIDC_SOCK user@host). Defining an alias makes this more easily usable: . Example:

alias ssh-oidc='ssh -R /tmp/oidc-forward-$RANDOM:$OIDC_SOCK'
ssh-oidc user@host

For most convenience, you should put the alias line into your .profile, .zshrc, or .bash_aliases file.

Note that you could also overwrite the actual ssh command with an alias. While this works, this will always create a socket file on the remote host, which can be used by the remote system administrator to access your tokens. Use it wisely.

Server

On the server, you have to set the OIDC_SOCK environment variable (export OIDC_SOCK=/tmp/oidc-forward).

We recommend the following configurations: Put the following in your .profile, .zshrc, or .bash_profile on the server:

test -z $OIDC_SOCK && {
    export OIDC_SOCK=`/bin/ls -rt /tmp/oidc-forward-* 2>/dev/null | tail -n 1`
}
alias ssh-oidc='ssh -R /tmp/oidc-forward-$RANDOM:$OIDC_SOCK'

Add this into your .zlogout, or .bash_logout on the server:

if [ -e $OIDC_SOCK ]; then
    rm -f $OIDC_SOCK
fi
Previousoidc-agent IntegrationNextUsage

Last updated 3 years ago