Ssh based login to web app

#1

Current email-based login to asciinema.org is mostly liked (afaik :wink:) and working mostly fine. Its security is ok (as far as password reset emails are in general), however it is causing login problems for some people due to spam filters, gray listing or other email delivery problems.

I really want to avoid storing passwords, and depend on 3rd party (OAuth with Github). More on this here: http://blog.asciinema.org/post/persona/ (this is old post and Persona is not a thing anymore, but the arguments there are the important part).

But here’s the idea: what if we allowed login to the website with ssh public key? :nerd_face:

It could look like this:

  1. add (1 or more) ssh public keys to your asciinema.org account
  2. click on “Login” button on the website
  3. enter your username or email in the login form, submit
  4. you see "Verify your identity by invoking this command: ssh user@asciinema.org login <token>"
  5. execute the above ssh command in your terminal, which prints “Thanks, you’re logged in now.”
  6. switch back to browser window where you are already logged in :tada:

Other than initial setup of this method (public key upload) it involves the same amount of steps than current email based login - instead of going to email client and clicking on the link you go to your terminal and copy-paste a command.

It has the following advantages over login-link-over-email method:

  • it eliminates expiring link problem - the ssh command to execute is displayed immediately in the browser
  • it’s more secure - ssh is encrypted, while email messages on email provider’s server are usually unencrypted
  • it’s more reliable - there’s no 3rd party (email provider which can be down at the moment) involved in authentication process
  • you can add multiple public keys from all your machines to ensure you can always use this method (this is less of an argument because email-based login could be updated to support multiple emails on the account)

Few notes:

It’s not supposed to replace email-based login - this would be a opt-in alternative.

There’s other, existing solution for public-key based authentication in the browser, which is called “Client Certificate Authentication”. It uses RSA pub/prv keypair like ssh does, and doesn’t require user to use execute ssh commands in the terminal. However it’s very rarely seen in the wild, due to complicated setup, and backup of cert/key (people just forget about the cert when switching to a new browser). With ssh keys: you already have ssh keypair, you probably know where it is and how to back it up, you already have ssh client installed (every modern OS comes with one). So I think the proposed solution is simpler for people who use terminal (and asciinema users do :slight_smile: )

I’ve opened pull-request to play with this idea: https://github.com/asciinema/asciinema-server/pull/301

Does this make sense? What do you think?

3 Likes

#2

I like the idea, more authentification methods and more secure ones cant hurt.

0 Likes