Proposal: client-side keyboard interactive and key-signing

[klarose]

I have a usecase where I want to develop my own client, yet use an ssh gateway such as webssh to provide access to servers fronted by it. In this model, webssh would act as solely as an API for the client.

As part of this work, I want to support an arbitrary set of keyboard-interactive challenges, as well as not require that a user's private key be sent over the network. Doing this means substantial changes to the API webssh uses: in particular, rather than providing the user's credentials up-front, the user would ask webssh to establish an ssh session to the server, then forward back challenges (e.g. the server's request for a signature, or a password/totp challenge) as necessary. E.g. if the server supports only public key auth, the user would never provide a password. To make this work, we kind of need a bidirectional API.

One thought is that we could keep the existing model where the initial POST establishes the connection and starts the worker, and indeed keep that API as-is in case anybody else has programmed a client for it. But, add an extension indicating we want to use the new mode. In the new mode, we would extend the websocket API to support messages sent back to the client other than data, and support messages from the client as answers to challenges.

I'll do this work, but I'd like feedback on the approach, and whether it warrants being included in webssh proper, or if I should just maintain a private fork of it.

Thanks!