SSH public key authentication - what do you think?

Post Reply
caffeinatedblocks
New member
Posts: 3
Joined: Fri Feb 10, 2023 17:19
GitHub: caffeinatedblocks
IRC: caffeinatedblocks
In-game: caffeinatedblocks

SSH public key authentication - what do you think?

by caffeinatedblocks » Post

I would like to add SSH public key authentication to Minetest, but I will not do it unless I know it will be accepted by the core dev team.

This would enable password-less registration and authentication to public servers, and also help pave the way for totally encrypted communication between client/server.

If this interests you, and you'd like to see this added to Minetest, please speak up and show your support.

Github Issue #13267

User avatar
Xerenogan
Member
Posts: 14
Joined: Thu May 11, 2023 15:27
GitHub: Xerenogan
IRC: awells
In-game: Xerenogan

Re: SSH public key authentication - what do you think?

by Xerenogan » Post

This would be fantastic as an optional way to authenticate for those that know how, and I would love to see something like that done. You have a thumbs up from me for what it's worth.

User avatar
ywwv
Member
Posts: 299
Joined: Mon Jan 18, 2021 11:51

Re: SSH public key authentication - what do you think?

by ywwv » Post

hi caffeniated blocks. encryption between the client and server can be accomplished with TLS or noise . You can use an OpenSSL API compatible crypto library for TLS or for noise use an implemenation here: https://noiseprotocol.org/ the main issue with encryption is security certificates, not password auth. servers would have to acquire certificates in some way, or the client would have to trust all certs.

SSH private keys are very sensitive information and with client side mods on the roadmap it may not be prudent to reuse this infrastructure within minetest. Instead of reading private keys directly, this would need to be implemented with an "ssh-agent" software or the "Pageant" software that comes with PuTTY. sadly Pageant does not seem to be well documented. as a result there may be some difficulty integrating this software, which is already esoteric and not well understood by the userbase.

I would recommend that minetest uses a more forward looking standard like WebAuthn (https://w3c.github.io/webauthn/) using a seperate authenticator software to the client itself from the open ecosystem of webauthn authenticators.

I wont use github because it's a microsoft platform . but you are welcome to copy paste this to the discussion there. it will surely clear up the confusion around this issue

User avatar
ywwv
Member
Posts: 299
Joined: Mon Jan 18, 2021 11:51

Re: SSH public key authentication - what do you think?

by ywwv » Post

erm. wrong account

snowyu
Member
Posts: 25
Joined: Mon Jun 07, 2021 06:42
GitHub: snowyu

Re: SSH public key authentication - what do you think?

by snowyu » Post

Hi, caffeniated blocks.

Thank you for your message regarding adding password-less registration and authentication to Minetest. Here I would like to suggest that you consider using OpenPGP, which is a versatile standard for encrypting and signing data.

OpenPGP is based on a decentralized trust model, which means that there is no central authority or certificate authority (CA) that issues and manages certificates. Instead, each user generates their own public and private key pair, and signs other users' public keys to create a web of trust. This can provide greater flexibility and independence for users.

OpenPGP is a more flexible and powerful standard for key management. It allows users to revoke and expire keys, create subkeys for specific purposes, and manage key trust relationships through a web of trust.

One of the benefits of OpenPGP's subkey feature is that it allows users to create separate keys for specific purposes, such as signing, encryption, and authentication. This can provide greater security and flexibility than using a single key for all purposes. For example, if a user's signing key is compromised, their encryption and authentication keys can still be used to protect their data and authenticate their identity.

In addition to OpenPGP, there are also open-source cryptographic libraries that you can consider using in your application, such as Botan and RNP. Botan is a C++ library that provides a wide range of cryptographic primitives, while RNP is a C library that provides support for OpenPGP and S/MIME.

I hope this information is helpful to you. If you have any further questions or concerns, please do not hesitate to reach out.

Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests