Discussion:
Using an ssh key to authenticate to a web service?
Jim Cheetham
2011-03-19 22:05:35 UTC
Permalink
I have a server delivering a customer-facing service over ssh; as such
each client has a username & ssh keyfile to use for authentication,
and that's their only access.

I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.

I don't think I can get sufficient identifying information at the web
service end of a standard "ssh tunnel to the service", but I may have
overlooked something. Not sure I can get id from the SOCKS proxy mode
of ssh, either ...

The web service is unwritten, so it could use pretty much any
framework; if there was one out there that had plugins for ssh
authentication I'd love to know.

Has anyone seen such a beast, or at least come up with some useful
search terms I could try for more research?

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Bruce Clement
2011-03-19 22:39:14 UTC
Permalink
On Sun, Mar 20, 2011 at 11:05 AM, Jim Cheetham <***@gonzul.net> wrote:
[..]
Post by Jim Cheetham
I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.
Have a look at "client ssl keys"

These are built with much the same technology as the client keys you
use with ssh, but I'm not 100% sure if the same key can be used for
both ssh and https but if it can you're there :)

http://www.gnegg.ch/2008/05/why-is-nobody-using-ssl-client-certificates/
http://blog.magicaltux.net/2009/02/09/using-ssl-keys-for-client-authentification/
http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500
--
Bruce Clement

Home:    http://www.clement.co.nz/
Twitter:    http://twitter.com/Bruce_Clement
Directory: http://www.searchme.co.nz/

"Before attempting to create something new, it is vital to have a good
appreciation of everything that already exists in this field." Mikhail
Kalashnikov

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Daniel Pittman
2011-03-19 22:42:37 UTC
Permalink
Post by Jim Cheetham
I have a server delivering a customer-facing service over ssh; as such
each client has a username & ssh keyfile to use for authentication,
and that's their only access.
I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.
It absolutely would...
Post by Jim Cheetham
The web service is unwritten, so it could use pretty much any
framework; if there was one out there that had plugins for ssh
authentication I'd love to know.
...which is why no one has written anything like that, because it just
isn't that useful, except in very limited circumstances like yours.
(...and, frankly, not that much even then, IMO. :)

Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <***@rimspace.net>
✆ Contact me via gtalk, email, or phone: +1 (503) 893-2285
♲ Made with 100 percent post-consumer electrons

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Cliff Pratt
2011-03-20 01:21:09 UTC
Permalink
Post by Jim Cheetham
I have a server delivering a customer-facing service over ssh; as such
each client has a username& ssh keyfile to use for authentication,
and that's their only access.
I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.
I believe that you could use a Java applet in practically any browser,
or a standalone Java app and have no dependency on the browser.
Post by Jim Cheetham
I don't think I can get sufficient identifying information at the web
service end of a standard "ssh tunnel to the service", but I may have
overlooked something. Not sure I can get id from the SOCKS proxy mode
of ssh, either ...
The web service is unwritten, so it could use pretty much any
framework; if there was one out there that had plugins for ssh
authentication I'd love to know.
Has anyone seen such a beast, or at least come up with some useful
search terms I could try for more research?
An SSH connection is a session and a web service is not. Therefore,
unless you do something funky with sessionIDs or something, you have to
authenticate every web service request.

There are two parts to this - if your web service uses HTTPS then the
traffic is encrypted, no client certificates needed.

That by itself does provide authentication and permissions, which I
think you will need to do through the web service. I believe that SOAP
requests can include user and password, and I'd guess that they would
also allow authentication via public/private key pairs.

(The above may be a bunch of hokum as I've never written any programs
that use SOAP - the above is gleaned from talking to real programmers
about SOAP).

Cheers,

Cliff

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Daniel Pittman
2011-03-20 06:08:39 UTC
Permalink
Post by Jim Cheetham
I have a server delivering a customer-facing service over ssh; as such
each client has a username&  ssh keyfile to use for authentication,
and that's their only access.
I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.
I believe that you could use a Java applet in practically any browser, or a
standalone Java app and have no dependency on the browser.
I don't recall exactly what is required to get out of the sandbox, but
I believe it requires at least a signed certificate known to Java in
the browser to work. Without that you can't access local file
resources, so can't access the private SSH key.

[…]
That by itself does provide authentication and permissions, which I think
you will need to do through the web service. I believe that SOAP requests
can include user and password, and I'd guess that they would also allow
authentication via public/private key pairs.
(The above may be a bunch of hokum as I've never written any programs that
use SOAP - the above is gleaned from talking to real programmers about
SOAP).
You can do the same thing without SOAP: have your request include the
username and password. SOAP just codifies the body and headers in
HTTP; it doesn't add any fundamentally new features.

Regards,
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <***@rimspace.net>
✆ Contact me via gtalk, email, or phone: +1 (503) 893-2285
♲ Made with 100 percent post-consumer electrons

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Robin Sheat
2011-03-20 05:58:46 UTC
Permalink
Post by Jim Cheetham
I have a server delivering a customer-facing service over ssh; as such
each client has a username & ssh keyfile to use for authentication,
and that's their only access.
I'm not sure about using SSH keys in a browser, but it would be easy to
use browser client certificates. It's well supported and doesn't require
anything really fancy to make it work. Then you just need to use the
common name value from the cert as your username (and verify the cert
chain), and you should be good.

Robin.


_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Nick Rout
2011-03-20 07:31:04 UTC
Permalink
Post by Jim Cheetham
I have a server delivering a customer-facing service over ssh; as such
each client has a username & ssh keyfile to use for authentication,
and that's their only access.
I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.
I don't think I can get sufficient identifying information at the web
service end of a standard "ssh tunnel to the service", but I may have
overlooked something. Not sure I can get id from the SOCKS proxy mode
of ssh, either ...
The web service is unwritten, so it could use pretty much any
framework; if there was one out there that had plugins for ssh
authentication I'd love to know.
Has anyone seen such a beast, or at least come up with some useful
search terms I could try for more research?
landonline (the government land registry, where everyone's titles are
recorded) uses an ssl certificate installed in the client browser
(plus a password) to authenticate. Every user has an individual
certificate. Once authenticated a remote windows (citrix) session is
satrted.

salesdirect.co.nz (for recording land sales information to the local
council) also authenticates via an ssl certificate, again installed
into your browser (no password on that one). This is a web browser
based application.

Whether you can leverage an ssh certificate the same way is unknown to me.

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Peter Lambrechtsen
2011-03-20 08:28:47 UTC
Permalink
Post by Nick Rout
Post by Jim Cheetham
I have a server delivering a customer-facing service over ssh; as such
each client has a username & ssh keyfile to use for authentication,
and that's their only access.
I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.
I don't think I can get sufficient identifying information at the web
service end of a standard "ssh tunnel to the service", but I may have
overlooked something. Not sure I can get id from the SOCKS proxy mode
of ssh, either ...
The web service is unwritten, so it could use pretty much any
framework; if there was one out there that had plugins for ssh
authentication I'd love to know.
Has anyone seen such a beast, or at least come up with some useful
search terms I could try for more research?
landonline (the government land registry, where everyone's titles are
recorded) uses an ssl certificate installed in the client browser
(plus a password) to authenticate. Every user has an individual
certificate. Once authenticated a remote windows (citrix) session is
satrted.
salesdirect.co.nz (for recording land sales information to the local
council) also authenticates via an ssl certificate, again installed
into your browser (no password on that one). This is a web browser
based application.
Whether you can leverage an ssh certificate the same way is unknown to me.
You could, but normally when you use Client Certificates either you mint
them yourself and run your own ring of trust, or you get them minted by
Verisign or similar SSL CA's and cross verify them against them.

The best plan is to swap over to SSL Client Certs for both WebService and
for SSH access.

There are patches for OpenSSH that enables X509 aka SSL support here:
http://roumenpetrov.info/openssh/

I've also used client SSL certificates on a hardware token and used Putty SC
which lets you do auth: http://www.joebar.ch/puttysc/ there is also a new
branch called putty-cac http://www.risacher.org/putty-cac/ which seems to be
newer builds. This is a pretty slick on windows.

YMMV ;)

But if you have further questions or want some help with setup I am happy to
help

Cheers

Peter
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Peter Lambrechtsen
2011-03-20 09:00:33 UTC
Permalink
Post by Peter Lambrechtsen
You could, but normally when you use Client Certificates either you mint
them yourself and run your own ring of trust, or you get them minted by
Verisign or similar SSL CA's and cross verify them against them.
The best plan is to swap over to SSL Client Certs for both WebService and
for SSH access.
http://roumenpetrov.info/openssh/
I've also used client SSL certificates on a hardware token and used Putty
SC which lets you do auth: http://www.joebar.ch/puttysc/ there is also a
new branch called putty-cac http://www.risacher.org/putty-cac/ which seems
to be newer builds. This is a pretty slick on windows.
Few more links after a bit of googling around I found a PKCS11 to Microsoft
MS-CAPI bridge here:
https://lists.owasp.org/pipermail/owasp-webscarab/2010-October/001123.htmlspecifically
the DLL in that post is what you need.

Seems to work fine with the built in Microsoft Certificate store and lets me
login to my Linux boxes using a self signed cert well using Putty-Cac.

Cheers

Peter
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jim Cheetham
2011-03-21 21:25:57 UTC
Permalink
On Sun, Mar 20, 2011 at 9:28 PM, Peter Lambrechtsen
Post by Peter Lambrechtsen
The best plan is to swap over to SSL Client Certs for both WebService and
for SSH access.
http://roumenpetrov.info/openssh/
That does sound like a good idea. That patch has been around for a
very long time, but we have to patch the ssh client end as well, which
seems more problematical (i.e. I don't like changing things on
customer servers) than just giving the end-user a browser plugin.

Yubikeys don't really help; nice things that they are (I have a few)
but don't fit well with the use-case I have. You can think of them as
an alternative to an SSL client certificate (especially for people
with the Chrome browser, which doesn't support client SSL certificates
at all)

I think I'm going to have to look at some kind of hack around setting
up an ssh tunnel to provide authentication to the web service ...
perhaps a small proxy that adds AUTH based on $HOME files. That should
be easy to put together.

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Hadley Rich
2011-03-21 21:36:11 UTC
Permalink
Post by Jim Cheetham
You can think of them as
an alternative to an SSL client certificate (especially for people
with the Chrome browser, which doesn't support client SSL certificates
at all)
Not quite true, I use the StartSSL website which is authenticated by
client cert in chromium on Linux. As per here;

http://code.google.com/p/chromium/wiki/LinuxCertManagement

It's not pretty of course, but it does "work".

hads
--
http://nicegear.co.nz
New Zealand's Open Source Hardware Supplier


_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Peter Lambrechtsen
2011-03-21 21:40:40 UTC
Permalink
Post by Jim Cheetham
On Sun, Mar 20, 2011 at 9:28 PM, Peter Lambrechtsen
Post by Peter Lambrechtsen
The best plan is to swap over to SSL Client Certs for both WebService and
for SSH access.
http://roumenpetrov.info/openssh/
That does sound like a good idea. That patch has been around for a
very long time, but we have to patch the ssh client end as well, which
seems more problematical (i.e. I don't like changing things on
customer servers) than just giving the end-user a browser plugin.
If your users are windows users, using Putty-CAC and the P11-CAPI.DLL should
sort you out nicely and let you issue Client SSL Certs, but won't work for
non-windows clients.

Happy to talk offline about how this could be quickly / easily done :)

Cheers

Peter
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jim Cheetham
2011-03-29 21:44:08 UTC
Permalink
Post by Jim Cheetham
I think I'm going to have to look at some kind of hack around setting
up an ssh tunnel to provide authentication to the web service ...
perhaps a small proxy that adds AUTH based on $HOME files. That should
be easy to put together.
First pass solution: a fake auth forward proxy that sits between the
user & the app, adding authentication headers based on username &
$SSH_CONNECTION

http://inode.co.nz/faking-single-factor-authentication-%E2%80%94-ssh-keys-for-http-auth

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Reed Wade
2011-03-20 08:45:11 UTC
Permalink
SSL client certs would work but are very easy for the user to
configure incorrectly and open access to anyone who might have access
to their machine -- plus it makes it hard for the user to use the
service on a different machine (unless they start sprinkling that cert
all over the place).

I've never used but maybe---

http://www.yubico.com/yubikey

-reed
Post by Jim Cheetham
I have a server delivering a customer-facing service over ssh; as such
each client has a username & ssh keyfile to use for authentication,
and that's their only access.
I now want to expose a web service to them (related to their existing
service), and rather than start issuing passwords for authentication,
I would like to find some way of re-using their ssh keys -- even to
the extent of mandating a specific browser+plugin, which may well be
required.
I don't think I can get sufficient identifying information at the web
service end of a standard "ssh tunnel to the service", but I may have
overlooked something. Not sure I can get id from the SOCKS proxy mode
of ssh, either ...
The web service is unwritten, so it could use pretty much any
framework; if there was one out there that had plugins for ssh
authentication I'd love to know.
Has anyone seen such a beast, or at least come up with some useful
search terms I could try for more research?
-jim
_______________________________________________
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Loading...