SSH Access


The only authentication token supported for accessing user accounts on is a pre-registered OpenSSH public key (no password-based login is available).

Discoverer’s user directory, containing all POSIX users and groups, is based on multiple installations of 389 Directory Server, all acting together as a single LDAP directory, synchronizing and sharing the same content by dint of N-way multi-master replication protocol. Each user account is stored in that LDAP directory as a unique distinguish name (DN) LDAP object. The unique username, along with a copy of the pre-registered OpenSSH public key (as well as some additional information about the user), are attributes to that DN.

The OpenSSH server, running on, interacts with the local SSSD service and a specially designed wrapper program, to verify the presence of the user in the LDAP directory and prove the authenticity of the OpenSSH private key used for the authentication (the key provided to the SSH client program by the user). That type of authentication protocol is considered very secure and surpasses the traditional password-based SSH authentication. Note that OpenSSH key authentication comes with a two-way authentication, whereupon the second component protecting the authentication process is the password that protects the private SSH key on the user’s device.

OpenSSH client program can interact with most of the OpenSC-compatible PKCS#11 hardware tokens. Which in turn means that the users of Discoverer HPC can additionally protect their private SSH keys by storing them in the protected memory of hardware tokens, like HSM smartcards.