Comments (1)
Hi, thanks for the short message. I think what's being proposed here is unclear because of the incorrect use of words like "leak" and "password" vs "public key" (these are different things!) — I'll try to address all interpretations.
-
Generate a one-time password along with the link to a new session and require users to present it upon joining.
This is already effectively done through the private encryption key attached to the URL in the hash field
#
. This affix is never sent to any server while making an HTTP request, and adding a second password to the mix would not improve security beyond allowing users to send parts of the link over two different communication media. -
Allow users to authenticate via a public/private key pair to verify their identity before connecting to a server.
This is a reasonable approach to some systems, and ssh does this to allow for persistent access. But it takes a lot of time to set up, and creates friction — people don't just have keypairs lying around to copy/paste. If you'd like to share access to your computer this way, you should add the public key to your
authorized_keys
file and use ordinary SSH. For a real-time computer access system, you would need to communicate the public key over some other channel regardless, and if that channel were breached an attacker could edit the sent public key file anyway.
In either case, sshx is completely secure as-is assuming confidential communication of the link, and if you do not assume this, then both sshx and all of the alternatives are equally insecure. The suggested alternatives simply add friction to both attackers and regular users. But while this affects ordinary users greatly, attackers have unlimited resources — security through obscurity is not security.
If you have a compelling argument for why either approach would improve security, I'm happy to hear it. You would need to define a security model and provide examples of attacks that would be prevented.
from sshx.
Related Issues (20)
- Support proper zooming HOT 1
- [Feature] Freehand Drawing Extension
- [Bug] sshx doesn't work on certain CLI apps HOT 2
- [Feature] Different user permissions HOT 2
- Create github releases including releasing binaries HOT 2
- Allow users to bypass certificate validation HOT 4
- selft hosted - nixOS HOT 3
- [BUG] Cannot copy content into clipboard inside web browser HOT 15
- [Feature request] Support for armv6l, armv7l HOT 8
- transport error
- Can`t build from source! HOT 3
- Customize title?
- escape key not sent to terminal HOT 5
- Windows client support
- ability to zoom out, so one can find the right window (enhancement request) HOT 3
- tiling or auto arrange for terminal windows: feature request
- user@hostname of server in the browser tab HOT 1
- Solution / Workaround for Browser shortcut conflicts? HOT 1
- Expected to achieve directory sharing HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sshx.