SSH-style public key authentication for web app login

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

After reading a few articles about the drawbacks of passwords (users
always use the same one, they're too eager to tell other people their
passwords, they keep forgetting them, etc), I was wondering if it was
possible to use a key-based authentication method with PHP instead.

My idea is that when you first use a given web app, you'd upload a
public key generated on your machine with the SSH tools, puttygen, or
whatever.  On subsequent visits the script would check that the user
has the private key that matches their public key.  This would happen
automatically without the user having to identify themselves via a log
in page.

Is this possible with PHP?  I did try googling for PHP public key
authentication but didn't find much useful information regarding it.

Re: SSH-style public key authentication for web app login

Gordon wrote:

Quoted text here. Click to load it

I think you can research into SSL client certificates. You know, part of all
that "https" stuff.

$_SERVER['SSL_CLIENT_CERT'] plus the SSL functions shoule be able to take
care of that. Issuing certificates and stuff won't be trivial, but may give
you the desired result.

Iván Sánchez Ortega -ivan-sanchezortega-es-
Proudly running Debian Linux with 2.6.30-1-amd64 kernel, KDE 3.5.10, and PHP
5.2.11-1 generating this signature.
Uptime: 15:40:09 up 39 days,  5:11,  5 users,  load average: 1.83, 1.71,

Re: SSH-style public key authentication for web app login

On Wed, 21 Oct 2009 06:15:22 -0700 (PDT), Gordon wrote:
Quoted text here. Click to load it

You'd have to write the support for it. It is possible to write it in
php. I can think of a lot of reasons that this isn't a good idea,
though. That discussion's probably a little off-topic...

45. I will make sure I have a clear understanding of who is responsible for
    what in my organization. For example, if my general screws up I will not
    draw my weapon, point it at him, say "And here is the price for failure,"
    then suddenly turn and kill some random underling. --Evil Overlord List

Re: SSH-style public key authentication for web app login

Gordon wrote:
Quoted text here. Click to load it

Not with PHP, it isn't.  Since PHP is server side, you couldn't read a
file on the client's system unless they specifically upload it.  And
Javascript can't read a file on the client's system for security reasons.

But this also would be of limited use.  How would they access your site
from another system, i.e. work or internet cafe?  And if they share
passwords, what keeps them from sharing the private key file (i.e.
placing it on that internet cafe computer)?

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.

Re: SSH-style public key authentication for web app login

Quoted text here. Click to load it

Yes, but you may need additional software *on the client side*, which
is problematical.

Quoted text here. Click to load it

There are several reasons why this won't happen *automatically*:

1.  The user needs to be able to choose which private key to use.
    Hopefully he is using a different key for each web site that does
    authentication for this.
2.  There's no software that will automatically deal with a challenge-
    response for SSH keys that is present on existing browsers.  There
    *is*, however, such code in existing browsers for SSL certificates,
    although it will often ask users for permission or which certificate
    to use..

Quoted text here. Click to load it

What might work:

1.  User obtains or generates a SSL certificate.
    This may be a problem since Apache-ssl tries to verify the
    certificate chain.  Self-signed certificates are a possibility
    here if you can get Apache to accept them.  User installs this
    certificate in his browser.

    As an alternative, it is possible you (the site operator) might
    generate the user certificates yourself, with the certificates
    signed by your own certificate authority.  In this case, you
    accept certificates signed by your own authority only.  It might
    be as simple for the user as "click here to download your
    certificate" and have it installed in the browser.  Use the
    "common name" field to identify the account on your site.

2.  User goes to a https: section of your web site which allows the
    user to tie authentication for his account with the *certificate
    he's using now*.  The browser will probably ask whether to present
    a certificate, and which one, at this point.

    This requires the "ExportCertData" options in apache-ssl to
    have Apache pass on the user certificate in the variable
    SSL_CLIENT_CERT in $_SERVER, so PHP can get hold of it.  (Don't
    enable this for static content on your https server:  it's a
    performance killer.)  Save this certificate and associate it
    with this user's account.  Apache has already verified it.

3.  Later, the user goes back to the site, to a https-protected login area.
    This area should require a user certificate (so Apache will
    have verified it before showing the page).  The user should be
    asked which certificate to present.  Apache will verify it.
    Take SSL_CLIENT_CERT and compare it to the one associated with
    the account.  (Note: since a user *could* associate the same
    certificate with different accounts, you likely still have to
    ask which account he's logging in to, or forbid the use of the
    same certificate for multiiple accounts.)
Most certificates identify people by the name embedded in the
certificate.  Since I can generate a self-signed certificate with
any name on it, or one signed by my made-up certificate authority,
you can't go by the name; you must check the *WHOLE CERTIFICATE*.
When the certificate expires, you'll need to re-register it to
use it to log in again.

In normal use, the issuing authority verifies the identity of the
certificate holder before issuing one, and the issuing authority
has to be one that's well-known, like Verisign, whose certificate
is distributed with browsers.

Re: SSH-style public key authentication for web app login

Quoted text here. Click to load it

If the client connects from a computer which you trust there are solutions
for SSO (single sign-on).

If your clients are using windows NTLM is probably the most common
solution for SSO, /

If your clients are using Linux or some other Unix it is probably easiest
to build a solution which depends on identd (RFC 1413).

However all SSO solutions are in practice only usable on intranets as they
all require that you can trust the client machines.

regards Henrik
The address in the header is only to prevent spam. My real address is:
hc3(at) Examples of addresses which go to spammers:
root@localhost postmaster@localhost

Site Timeline