Inbox login system

Central EGA keeps a database of users, with IDs and passwords, ssh public keys and crypt4gh-compatible public keys.

We have developed a solution allowing user authentication via either a password or an SSH key against CentralEGA database itself. The procedure is as follows: the inbox is started without any created user. When a user wants to log into the inbox (actually, only sftp connections are allowed, not even ssh), the system looks up the username in a local cache, and, if not found, queries the CentralEGA REST endpoint. Upon return, we store the user credentials in the local cache and create the user’s home directory. The user now gets logged in if the password or public key authentication succeeds. Upon subsequent login attempts, only the local cache is queried, until the user’s credentials expire. The cache has a default TTL of one hour, and is wiped clean upon reboot (as a cache should).

We installed a hook to detect when a file is (re)uploaded, renamed or deleted. The hook runs a checksum on the uploaded file and notifies CentralEGA via a shovel mechanism on the local message broker.

Note

After proper configuration, there is no user maintenance, it is automagic. The other advantage is to have a central location of the EGA users.

Moreover, it is also possible to add non-EGA users if necessary, by reproducing the same mechanism but outside the temporary cache. Those users will persist upon reboot.

See its full documentation or the source code on its dedicated repository.