Add API ML SSO capability to Zowe SSH command

[JTonda]

@JirkaAichler commented on Wed Jun 16 2021

Zowe CLI SSO experience is inconsistent since it does not work with SSH commands. The user has to use an SSH key when using the MFA configuration. These steps make the usage of Zowe and MFA complicated.

Solution draft - 2 options:

1. Call APIML /ticket endpoint with JWT token to obtain a passticket. Then call SSH directly with a userId and passticket.
2. Update APIML to be SSH (or rather TCP) proxy.

---

@github-actions[bot] commented on Fri Nov 11 2022

Thank you for raising this issue. The community has 90 days to upvote 👍 the issue. If it receives 5 upvotes, we will move it to our backlog. If not, we will close it.

---

@gejohnston commented on Mon Nov 28 2022

I think that customer sites could be resistent to suggestion 1 for the following reasons:

• A site with only an interest in SSH is unlikely to install and configure APIML for just that purpose. The installation and configuration of APIML will likely be more complicated for such a customer than using an ssh key.
• Each CLI ssh command may have to call the APIML login endpoint to get the JWT token, then call the APIML endpoint to get a passticket from the JWT token, then call the SSH service with the passticket. Making 3 REST requests for one ssh request may slow the response time of each CLI ssh command.

Suggestion 2 (ssh support in APIML) seems to better fit customer use cases:

• A site that has committed to APIML for other services wants to use APIML to also connect to SSH.
• Client-side configuration could be implemented by a customer in the same way as other APIML-supported services.

I am transferring this issue to APIML for evaluation of the request. If and when a plan is determined for supporting SSH within APIML, this issue can be returned to the CLI's issue queue so that client-side logic and configuration changes can be evaluated and prioritized.