ENHANCEMENT: New credential and authentication system

billchurch / webssh2

Web SSH Client using ssh2, socket.io, xterm.js, and express. webssh webssh2

MIT License

2.34k stars 534 forks source link

ENHANCEMENT: New credential and authentication system #247

Open billchurch opened 3 years ago

billchurch commented 3 years ago

A new method to collect credentials is required to work around browser incompatibilities and support alternate methods of authentication.

Goals of this enhancement:

[x] Retain ability to use HTTP Basic (should be the default setting)
[ ] Ability to send credentials over a websocket connection (no HTTP first) #245
[ ] Support injection of an RSA private key for authentication #219
[x] Support taking credentials from a form or modal (potentially submitting credentials over websocket above) #159
[ ] Support Keyboard Interactive authentication to support 2fa use cases #224
[ ] Support ability to "logout" and prevent replaying credentials from the client (as with HTTP Basic) #216
[ ] Support session limits (log off user after x seconds/minutes/house #198
[x] Investigate potential for taking credentials as GET vars (not sold on it, but won't rule it out)

billchurch commented 3 years ago

PassportJS seems like a logical way to accomplish this, with the ability to extend more in the future...

billchurch commented 3 years ago

0.5.0-dev-0 has the first attempts at getting this working under passport.js

/reauth on HTTP Basic isn't working in Chrome now... This might have been a fluke that it worked at all, not done trying but this may end up being a breaking change for HTTP Basic in 0.5.0 and we'll support some sort of forms based auth (modal , inline, or otherwise).

billchurch commented 3 years ago

0.5.0-dev-1

New route /ssh/login/host to gather username and password (required) credentials from either GET or POST
readme refactored a bit
PORT, LISTEN_IP, SESSION_NAME, SESSION_SECRET can be set as environment vars now and override any defaults or config.json
Remove auto port increment from ./app/index.js (f36af08)
Debug environment var
Refactored ./app/server/app.js
- Safe shutdown feature moved to ./app/server/safeShutdown.js and re-worked
- Session setup moved out of /ssh/host route into ./app/server/sessionSetup.js for readability and reuse for #247 for webssh2 changed from WebSSH2 to webssh2

pwFoo commented 2 years ago

Will webssh2 support public key login with hardware etoken and SafeNet Authentication Client? Is that possible? Would be awesome!

lucj commented 2 years ago

Hello, any plan to add authentication based on a ssh key instead of login / password ?

billchurch commented 2 years ago

Definitely have plans, been struggling with the best way to implement.

Taking direct private key is risky.

How to keep key safe server-side (in memory only)
How to take key, POST, web socket?
Integrate with Hashicorp Vault?
What other methods?

app commented 2 years ago

May be mTLS is what you looking for? )
https://en.wikipedia.org/wiki/Mutual_authentication
https://medium.com/@sevcsik/authentication-using-https-client-certificates-3c9d270e8326

billchurch commented 2 years ago

I do like mTLS and use it for a lot of other things. The main problem here is WebSSH2 isn't actually authenticating anything, it's just passing the credentials to the SSH server.

So, using mTLS is intriguing but the private key never leaves the client so even if we supported x509 over SSH we wouldn't be able to use an existing mTLS session to then do x509 to an SSH host.

That being said, ssh-rsa or ssh-dss are the most widely supported methods of getting private keys to a host. Perhaps integrating with something like hashicorp vault or something similar could be an answer. Or be modular enough that having x vendor's vault would be easy to support.