Show HN: Keypub.sh – OAuth for the terminal using SSH keys

Sounds like a similar family of problems to [Wish](<a href="https:&#x2F;&#x2F;github.com&#x2F;charmbracelet&#x2F;wish">https:&#x2F;&#x2F;github.com&#x2F;charmbracelet&#x2F;wish</a>) by charm.sh. They&#x27;ve been pushing this curious paradigm of &quot;ssh apps&quot;, where ssh keys are used to automatically create identities for small self-hosted CLI&#x2F;TUI apps.<p>As a useful comment for messh, it looks like you&#x27;ve committed the ssh_server binary file to git; you may want to add that to gitignore, as binary file handling isn&#x27;t a traditional git strength. I _think_ it&#x27;s better than it was a decade ago when I last investigated this, but I can see that Pro Git still recommends explicitly setting gitattributes to mark a file as binary <a href="https:&#x2F;&#x2F;git-scm.com&#x2F;book&#x2F;en&#x2F;v2&#x2F;Customizing-Git-Git-Attributes#Binary-Files" rel="nofollow">https:&#x2F;&#x2F;git-scm.com&#x2F;book&#x2F;en&#x2F;v2&#x2F;Customizing-Git-Git-Attribute...</a>

When you say &quot;OAuth&quot;, what exactly do you mean? It looks like this is really just a tool for associating email addresses with SSH keys.<p>This is an interesting concept, but it smells a bit like a solution in search of a problem. Perhaps it will feel more useful to me once there are two or three SSH apps that I want to access. Even then, I would suggest that prospective SSH app developers just lean on github&#x27;s public SSH keys instead, as basically all developers will have a github account and this reduces your (already high, relative to webapp) startup friction.

``` ).WHERE( AND( table.SSHKeys.Email.EQ(String(to_email)), table.SSHKeys.Fingerprint.EQ(String(fingerprint)), ), ) ```<p>If not using a `citext` column then you&#x27;re going to want to normalize (ie downcase&#x2F;tolower) everywhere you&#x27;re doing arbitrary string comparisons, or you&#x27;re going to get incorrect counts.<p>Also I don&#x27;t see any null or &quot;&quot; checking taking place before querying...<p>I&#x27;m not going to trust that your service can give me any reasonable confidence about the identity of the ssh key or the email it&#x27;s attached to.<p>That aside, I&#x27;m not understanding what the goal here is. I&#x27;ve never once needed my ssh key tied to my email address, but if I did, it&#x27;s included in the public key already...

No SSHFP record, TOFU clients. This is not secure.<p>I wish people would stop trying to use SSH for things like this. PKI has features that are missing here and those features matter.<p>This is unsafe.<p>&quot;but raggi, mitm before tofu is a really unrealistic scenario&quot;<p>ok, well, consider that some large percentage of gas stations in the US have hardware installed to skim your credit cards. those same folks are perfectly well motivated to drop a wifi dns mitm in conference buildings (trivial). new tech conference, handful of credit cards as people gossip about exactly these kinds of things in the hallway track. the roi on these installs would be pretty high, because tech folks tend to have a high credit balance. so yeah, &quot;totally unrealistic&quot; (this is more about terminal.shop, but same principle here as soon as someone uses it for actual value).

I agree with other commenters that the “oauth” keyword in title is misleading. I assumed this was compliant with oauth spec.<p>It’s an interesting service, but I doubt I would use this for anything serious beyond toy apps.<p>There was an article in October mentioning CF acquiring a company that dabbled in this space though. [1]<p>It’s more for managing authN&#x2F;Z for internal infra (k8s, servers,) but via existing IdP (with MFA). Underlying tech is “openpubkey”. [2]. I can see this adapted towards authN for CLI apps.<p>Wanted to test this on my homelab infra but life has gotten in the way.<p>[1] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41923429">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41923429</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;openpubkey&#x2F;openpubkey">https:&#x2F;&#x2F;github.com&#x2F;openpubkey&#x2F;openpubkey</a>

Oauth usually implies some variability of access - ie selective permissions. Is this more a pure authn layer as opposed to authz?<p>You have a repo on GitHub... Have you looked at using account public keys for anything? Ie <a href="https:&#x2F;&#x2F;github.com&#x2F;hpsin.keys">https:&#x2F;&#x2F;github.com&#x2F;hpsin.keys</a> I hear a lot about how those keys should get used to bootstrap pki systems but I&#x27;ve not seen it happen yet.

Care should always be taken when using an SSH client to connect to untrusted hosts. Make sure you’re not actually forwarding your SSH agent to the remote host, or they’ll be able to hijack your keys. Consider also that any output is processed by your terminal, and there have been a number of serious security bugs in terminal escape sequence handling in a variety of terminal emulators in the past.

OAuth means a specific technical thing, and this is not that thing.

PGP keys are associated with emails and there are various fully decentralized options to discover these keys (keyservers, WKD, ...). (How) does Keypub improve on this?

Why not use the device grant?<p>It&#x27;s designed for this use case (among others), is standards compliant, and leverages the OAuth ecosystem.<p>RFC: <a href="https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc8628" rel="nofollow">https:&#x2F;&#x2F;datatracker.ietf.org&#x2F;doc&#x2F;html&#x2F;rfc8628</a><p>An example golang CLI tool that uses it: <a href="https:&#x2F;&#x2F;fusionauth.io&#x2F;blog&#x2F;building-cli-app-with-device-grant-and-golang" rel="nofollow">https:&#x2F;&#x2F;fusionauth.io&#x2F;blog&#x2F;building-cli-app-with-device-gran...</a>

I love that you are approaching this space. SSH keys are an under-valued identity credential. Most big companies i&#x27;ve worked at have a clumsy sync &amp; storage system that I think you could sell to.<p>I&#x27;d encourage the next version using a more distributed approach (instead of a centralized credential DB &amp; email token). A gpg signature or CA (using openssl) are alternative trust models that would provide trust without the DB

I&#x27;m not sure I understand what this is useful for. I have dozens of ssh keys I use for various services. Do I register all of them?

Few years ago, I have worked to integrate SSH trough a major IDP via PAM modules. It was a bit tricky (especially for a bug in PAM in CentOS) but in the long run it worked fine.

&quot;about&quot; didn&#x27;t work for me but &quot;help&quot; did.

I really wish I could have the opposite. To authenticate with my SSH key (openpgp on yubikey) on the web.<p>I&#x27;m not really happy with the Fido options.

Nice job! Have you thought about implementing 2fa? I know platform.sh supports 2fa via ssh.

Just a reminder for everyone that by default SSH leaks all of the below public keys (if they exist) + all public keys in your ssh-agent to every server you connect to.<p><pre><code> ~&#x2F;.ssh&#x2F;id_ecdsa.pub ~&#x2F;.ssh&#x2F;id_ecdsa_sk.pub ~&#x2F;.ssh&#x2F;id_ed25519.pub ~&#x2F;.ssh&#x2F;id_ed25519_sk.pub ~&#x2F;.ssh&#x2F;id_xmss.pub ~&#x2F;.ssh&#x2F;id_dsa.pub </code></pre> Your &quot;leaked&quot; public keys can be used to check if a certain server recognizes that key.

Looks interesting but your tls cert isn’t valid on your site

&gt; Lightweight alternative to OAuth for CLI applications - just use SSH keys that users already have<p>I&#x27;d love to see more support for this application. I&#x27;ve contributed a number of oauth-based CLI apps and the user onboarding step (3-legged init) is atrocious.