Keys make it possible to use your identity to securely access your Spaces
Keys are similar to the public and private keypairs you use with Secure Shell (SSH) technology. Keys work with SSH and are configured in the same way. They are unique to each user.
What's different is Keys include your PairSpaces identity. Machines interpret a conventional keypair as meaning, "Allow access to this keypair". Spaces interpret Keys as meaning, "Allow access to this identity". Spaces use Keys to verify your identity, not only your ownership of the Keys.
Keys use the identity provided by Single Sign-On (SSO) providers to securely access virtual machines using SSH. This SSO-to-SSH combination creates two requirements to access Spaces - ownership of a keypair and an identity that a Space recognizes.
SSO-to-SSH (S2S) is the process PairSpaces uses to associate your PairSpaces identity with your Spaces.
When you create Keys PairSpaces creates a conventional public and private keypair and sends it with a nonce (number used once) to an OIDC provider. The combination of nonce and public key permits the OIDC provider to sign both using its private key, binding the user's identity to their keypair.
When authenticating, the public key and nonce are used by an OpenID Connect (OIDC) provider to create tokens. The identity token includes the OIDC provider's signature of the user's public key and nonce. This signature confirms the user has the private key that was certified by the OIDC provider.
PairSpaces effectively creates a public key certificate using the identity token and the user's public key and then signs the certificate using the user's private key.
When a user requests access to a Space they do so using conventional SSH, but a Space does not use the AuthorizedKeysFile to create a SSH session. Instead, each Space uses the AuthorizedKeysCommand to create a SSH session.
The command associated with AuthorizedKeysCommand verifies the user's public key certificate was signed by the OIDC provider and the identity contained within it is associated with the Keys created by the PairSpaces user.
The command also verifies that the identity verified by the OIDC provider is associated with the Space.
If the user is both the owner of the Keys and has been granted access to the Space, a conventional SSH session is created and access is allowed.
You can create Keys using the PairSpaces CLI and running pair keys create. PairSpaces does not keep a copy of your Keys.
> pair keys create
Your Keys were created successfully.
> pair keys create
Your Keys were created successfully.
> pair.exe keys create
Your Keys were created successfully.
Each pair of Keys will expire after 5 minutes. You can renew your Keys using pair keys renew.
> pair keys renew
> pair keys renew
> pair.exe keys renew