(no title)
karmarepellent | 6 months ago
I can see how SSH could be used for authentication on the web. And I have no doubt that it would be sound out-of-the-box. But I am not sure what you mean by your last sentence. Do you mean that authentication targets are gated and only reachable by establishing a tunnel via some kind of forwarding?
Aside from the wonderful possibilities that are offered by using port forwarding of some kind, you could also simply use OpenSSH's ForceCommand to let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service).
I guess no one uses SSH for authentication in this way because it is non-standard and kind of shuts out non-technical people.
alphazard|6 months ago
No, it's just how you authenticate with signing keys. Given that a secure channel has been set up with ephemeral keys, you can sign a commitment to the channel (like the hash of the shared secret key) to prove who you are to the other party.
> let users authenticate via SSH and then return a short-lived token that can then be used to log into an application (or even a SSO service)
This is exactly what I recommend. If everyone did this, then eventually then the browsers or 1password could support it.
palata|6 months ago
And WebAuthn is using FIDO2, it's not that different, it's just that WebAuthn adds some stuff like a relying party.
unknown|6 months ago
[deleted]
manithree|6 months ago
Being in charge of the strength and security of your private key is something most people don't want to do, so we get multiple identities made "easy" by walled gardens getting popular in passkeys.