Conch

Conch is an SSH certificate issuer which authenticates using OIDC access tokens.

It is intended to be used as a part of an interactive workflow where a real human is getting access to a system via SSH.

Flow

The general high-level flow for a client interating with Conch to get a signed certificate is:

        sequenceDiagram
   participant OIDC as OIDC issuer
   actor Client
   participant Conch

   Client->>OIDC: Authenticate
   OIDC->>Client: Access token (JWT)

   Client->>+Conch: /sign<br/>Passing the JWT
   Conch->>OIDC: Validate JWT
   note over Conch: Extract JWT claims and<br/>map to certificate principals

   Conch->>-Client: Signed certificate
    

Glossary

Project

A project is intended to describe a time-limited collection of users with access to a particular set of platform.

Platform

A platform is a collection of resources. In the context of Conch, it is anything which can be accessed via SSH. For example it might be a specific batch cluster or a development environment.

Mapper

A configurable function which takes claims and creates principals in the SSH certificate.