SSH Access
==========

.. warning::  **The only authentication token supported for accessing user accounts on login.discoverer.bg is a pre-registered OpenSSH public key (no password-based login is available).**

Discoverer's user directory, containing all POSIX users and groups, is based on multiple installations of `389 Directory Server`_, all acting together as a single `LDAP`_ directory, synchronizing and sharing the same content by dint of `N-way multi-master replication protocol`_. Each user account is stored in that LDAP directory as a unique distinguish name (DN) LDAP object. The unique username, along with a copy of the pre-registered OpenSSH public key (as well as some additional information about the user), are attributes to that DN.

The `OpenSSH`_ server, running on login.discoverer.bg, interacts with the local `SSSD`_ service and a specially designed wrapper program, to verify the presence of the user in the LDAP directory and prove the authenticity of the OpenSSH private key used for the authentication (the key provided to the SSH client program by the user). That type of authentication protocol is considered very secure and surpasses the traditional password-based SSH authentication. Note that OpenSSH key authentication comes with a two-way authentication, whereupon the second component protecting the authentication process is the password that protects the private SSH key on the user's device.

OpenSSH client program can interact with most of the `OpenSC`_-compatible `PKCS#11`_ hardware tokens. Which in turn means that the users of Discoverer HPC can additionally protect their private SSH keys by storing them in the protected memory of hardware tokens, like `HSM smartcards`_.

.. toctree::
   :maxdepth: 1
   :caption: Contents:

   ssh_install_client
   ssh_key_generation
   ssh_key_exchange
   ssh_caching_openssh_key
   ssh_logging_in
   ssh_logging_in_bg_acad

   ssh_convert_putty_key_into_openssh_key
   ssh_convert_openssh_key_into_putty
   ssh_key_fingeprint

.. _`389 Directory Server`: https://directory.fedoraproject.org/
.. _`LDAP`: https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol
.. _`N-way multi-master replication protocol`: https://access.redhat.com/solutions/273533
.. _`OpenSSH`: https://www.openssh.com/
.. _`SSSD`: https://sssd.io/
.. _`HSM smartcards`: https://www.cardcontact.de/
.. _`OpenSC`: https://github.com/OpenSC/OpenSC/wiki
.. _`PKCS#11`: https://en.wikipedia.org/wiki/PKCS_11