webssh2
webssh2 copied to clipboard
billchurch
ENHANCEMENT: New credential and authentication system
A new method to collect credentials is required to work around browser incompatibilities and support alternate methods of authentication.
Goals of this enhancement:
- [x] Retain ability to use HTTP Basic (should be the default setting)
- [ ] Ability to send credentials over a websocket connection (no HTTP first) #245
- [ ] Support injection of an RSA private key for authentication #219
- [x] Support taking credentials from a form or modal (potentially submitting credentials over websocket above) #159
- [ ] Support Keyboard Interactive authentication to support 2fa use cases #224
- [ ] Support ability to "logout" and prevent replaying credentials from the client (as with HTTP Basic) #216
- [ ] Support session limits (log off user after x seconds/minutes/house #198
- [x] Investigate potential for taking credentials as GET vars (not sold on it, but won't rule it out)
PassportJS seems like a logical way to accomplish this, with the ability to extend more in the future...
0.5.0-dev-0 has the first attempts at getting this working under passport.js
/reauth on HTTP Basic isn't working in Chrome now... This might have been a fluke that it worked at all, not done trying but this may end up being a breaking change for HTTP Basic in 0.5.0 and we'll support some sort of forms based auth (modal , inline, or otherwise).
- New route
/ssh/login/hostto gatherusernameandpassword(required) credentials from either GET or POST - readme refactored a bit
- PORT, LISTEN_IP, SESSION_NAME, SESSION_SECRET can be set as environment vars now and override any defaults or config.json
- Remove auto port increment from
./app/index.js(f36af08) - Debug environment var
- Refactored ./app/server/app.js
- Safe shutdown feature moved to ./app/server/safeShutdown.js and re-worked
- Session setup moved out of
/ssh/hostroute into ./app/server/sessionSetup.js for readability and reuse for #247 for webssh2 changed fromWebSSH2towebssh2
Will webssh2 support public key login with hardware etoken and SafeNet Authentication Client? Is that possible? Would be awesome!
Hello, any plan to add authentication based on a ssh key instead of login / password ?
Definitely have plans, been struggling with the best way to implement.
Taking direct private key is risky.
- How to keep key safe server-side (in memory only)
- How to take key, POST, web socket?
- Integrate with Hashicorp Vault?
- What other methods?
May be mTLS is what you looking for? )
https://en.wikipedia.org/wiki/Mutual_authentication
https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326
I do like mTLS and use it for a lot of other things. The main problem here is WebSSH2 isn't actually authenticating anything, it's just passing the credentials to the SSH server.
So, using mTLS is intriguing but the private key never leaves the client so even if we supported x509 over SSH we wouldn't be able to use an existing mTLS session to then do x509 to an SSH host.
That being said, ssh-rsa or ssh-dss are the most widely supported methods of getting private keys to a host. Perhaps integrating with something like hashicorp vault or something similar could be an answer. Or be modular enough that having x vendor's vault would be easy to support.