Geek Answers Handbook

Using ssh keys for authentication in other applications?

Let's say I want to set up a bad person verification scheme for a simple network service.

I don’t want to worry about authentication of the username and password, for simplicity I just want to have a list of public keys in my application, and anyone who can prove that he is the owner of this key can use my service.

For the purposes of my application, this will greatly simplify the authentication process, since all my users are on the local network and they all use Unix. Anytime when I'm on a new user, I can just ask them to open the ssh public key.

Is there an easy way to reuse the mechanism involved in ssh public key authentication in a non-ssh application? This question is for language agnostic.

+8
authentication unix ssh-keys
source share
3 answers

If you have a list of users who can use your application, and you won’t need to see who did what.

You can configure your server so that it only listens on localhost (127.1), not 0.0.0.0, and provides limited sshd by forwarding the port needed to connect to the application

~/.ssh/authorized_keys will provide a list of authorized keys that can be used.

  ssh -I private_key_file <hostname> -L 3000:localhost:3000

For basic setup and help setting up your sshd check this answer: https://askubuntu.com/questions/48129/how-to-create-a-restricted-ssh-user-for-port-forwarding

Note. . Warning that if you do not block it, any user will have full access to the shell in your field where the computer is located.

+2
source share

Dirty hack from the head: can you wrap the application so that it creates a real SSH tunnel from the local host to your server and uses it for?

+2
source share

Assuming you are talking about a web application. What you are really looking for are X.509 client certificates (1.3.6.1.5.5.7.3.2). This will allow you to identify the user individually for your application.

They face the same problems that they usually face when considering key distribution. What is usually considered a difficult problem.

If you want to go down this road, here is what you need to do.

  • Create a root certificate (once)
  • Install a web server with the appropriate modules for certificate analysis (nginx / apache)
  • Generate a certificate for each user (openssl)
  • Download the certificate from a centralized server. (maybe their ssh pub key is used here)
  • Install x509 locator locally (OS dependent)

On the server side, you need to process the certificate as part of the web server (nginx or apache must have modules for this), and then pass the name to your application as a header field, which can then be processed internally.

This is a much better security solution than usernames and passwords, but it is difficult due to a key distribution problem. Most people do not have to worry, as in most applications it is easy enough to integrate logins with LDAP or radius.

+1
source share

More articles:


All Articles