-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SSH Public Key Authentication #475
Comments
@jejacks0n It's a placeholder as there aren't currently any BBS clients that support public key authentication. I'd love a PR, however! Off the top of my head, I think you'd really only need to implement Then, create a simple One challenge is for it to be secure, they'd need to do this over a secure connection such as SSH (un/pass), or secure WebSocket, so you'd want to gate the menu with an I can provide more details if you're going to take a shot at it! |
could test with ssh from a regular ptty terminal.. |
Update on this: I will be adding PublicKey authentication to the board and to https://github.com/mkrueger/icy_term as well in the near-ish future. |
By the way - as a side note, I'm not sure whether it needs an upload function - the .pub is pretty short (90 characters including prefix is all that's needed, + whatever they use for their email/attribute if there is one). Could probably just support pasting that into a text field? That's what sites like github do anyway. |
@cognitivegears I agree. I think the only requirement needs to be over an existing secure connection. |
That's a bit of a catch-22, but not much of one, since they can either upload the .pub when logging in as new via ssh, or just have to at least one time do password auth before switching to public key. So not a big deal. |
By the way, this is a little off-topic but I was thinking, I don't believe there is anything in the spec / ssh library that wouldn't let us just accept any user - that is, allow the connection regardless of any user/pw etc... which could be interesting, if we then showed the unauthenticated login screen. Sorta like an inner authentication mechanism like can be done with WiFi etc protocols. I.e encrypt the channel but no Authn initially. I know sounds crazy, but the reason to do that would be able to offer non logged in services via ssh... Showing the login menu, forgot password, etc. The only downside I can think of is that I believe most or all existing clients just assume that some authn needs to happen so present pw prompt before even being challenged (when not using a public key flow anyway.) still it works, users would just have to type anything on those clients. And that could be suggested in clients like Icyterm as well. Probably out of scope for this issue, but just wanted to mention in case it's useful someday. |
@cognitivegears this should already be possible with some tweaks. Users can already SSH in with +op defined username passwords (new/new is there by default). We could have "forgot/forgot" or whatever allowing them to interact with specific screens. |
Yep, but without it, one can technically MITM and put in their own SSH Pub Key instead. |
Minor thought... Ubuntu-Server offers the option to import your public key at install, including from github. Could offer something similar at login/creation to import github key(s). |
Is your feature request related to a problem? Please describe.
When logging in with SSH, there's logic that looks like it's intended to validate the public key as provided by the SSH client.
Describe the solution you'd like
It looks like this is only partially implemented however. It kind of looks like the intent is to store the public key on registration in
UserProps.AuthPubKey
, but this constant isn't defined and that's the other portion that seems incomplete.Describe alternatives you've considered
What's needed to finalize some of this logic, and are there things that make this impossible/very difficult?
The text was updated successfully, but these errors were encountered: