Support SSH Public Key Authentication about enigma-bbs HOT 10 OPEN

By the way - as a side note, I'm not sure whether it needs an upload function - the .pub is pretty short (90 characters including prefix is all that's needed, + whatever they use for their email/attribute if there is one). Could probably just support pasting that into a text field? That's what sites like github do anyway.

from enigma-bbs.

@cognitivegears I agree. I think the only requirement needs to be over an existing secure connection.

from enigma-bbs.

@cognitivegears

That's a bit of a catch-22, but not much of one, since they can either upload the .pub when logging in as new via ssh, or just have to at least one time do password auth before switching to public key. So not a big deal.

Yep, but without it, one can technically MITM and put in their own SSH Pub Key instead.

from enigma-bbs.

@jejacks0n It's a placeholder as there aren't currently any BBS clients that support public key authentication.

I'd love a PR, however!

Off the top of my head, I think you'd really only need to implement validatePubKey which you can see in the SSH2 documentation, should be fairly trivial.

Then, create a simple ssh_config.js or similar mod inheriting MenuModule (which you'll see is the beef of most of enig) for the user to upload a public key.

One challenge is for it to be secure, they'd need to do this over a secure connection such as SSH (un/pass), or secure WebSocket, so you'd want to gate the menu with an acs check.

I can provide more details if you're going to take a shot at it!

from enigma-bbs.

could test with ssh from a regular ptty terminal.. ssh user@bbsname assuming the user previously uploaded their public key for auth.

from enigma-bbs.

Update on this: I will be adding PublicKey authentication to the board and to https://github.com/mkrueger/icy_term as well in the near-ish future.

from enigma-bbs.

@cognitivegears I agree. I think the only requirement needs to be over an existing secure connection.

That's a bit of a catch-22, but not much of one, since they can either upload the .pub when logging in as new via ssh, or just have to at least one time do password auth before switching to public key. So not a big deal.

from enigma-bbs.

By the way, this is a little off-topic but I was thinking, I don't believe there is anything in the spec / ssh library that wouldn't let us just accept any user - that is, allow the connection regardless of any user/pw etc... which could be interesting, if we then showed the unauthenticated login screen. Sorta like an inner authentication mechanism like can be done with WiFi etc protocols. I.e encrypt the channel but no Authn initially.

I know sounds crazy, but the reason to do that would be able to offer non logged in services via ssh... Showing the login menu, forgot password, etc.

The only downside I can think of is that I believe most or all existing clients just assume that some authn needs to happen so present pw prompt before even being challenged (when not using a public key flow anyway.) still it works, users would just have to type anything on those clients. And that could be suggested in clients like Icyterm as well.

Probably out of scope for this issue, but just wanted to mention in case it's useful someday.

from enigma-bbs.

@cognitivegears this should already be possible with some tweaks. Users can already SSH in with +op defined username passwords (new/new is there by default). We could have "forgot/forgot" or whatever allowing them to interact with specific screens.

from enigma-bbs.

Minor thought... Ubuntu-Server offers the option to import your public key at install, including from github. Could offer something similar at login/creation to import github key(s).

from enigma-bbs.