Notes on the SSH3 plugin system

[EthanHeilman]

The SSH3 authentication plugin system was introduced in https://github.com/francoismichel/ssh3/pull/135

SSH3 uses init to enable a plugin to register itself as an server or client side auth plugin.

• Client side auth plugin is how the client adds its authentication to a request
• Server side auth plugin is how the server checks the authentication the client added (server side auth is not how the server authenticates itself to the client)

How SSH3 authenticates with ssh keys

Should be a fairly simple to add since the existing plugin uses ssh keys. SSH3 creates a JWT called token:

token := jwt.NewWithClaims(signingMethod, jwt.MapClaims{
  "iss":       username,
  "iat":       jwt.NewNumericDate(time.Now()),
  "exp":       jwt.NewNumericDate(time.Now().Add(10 * time.Second)),
  "sub":       "ssh3",
  "aud":       "unused",
  "client_id": fmt.Sprintf("ssh3-%s", username),
  "jti":       b64ConvID,
})
signedString, err := token.SignedString(key)

where key is the ssh key and b64ConvID is the conversation id. They then set the JWT as the HTTP Authorization header. As the conversation id is unpredictable and set by the server this JWT acts as a POP (Proof of Possession) of the ssh key.

How to add OpenPubkey as a plugin

We can almost completely reuse this pattern in OpenPubkey.

Create JWT that includes PK Token and is signed with user's signing key.

The main unknown is how to determine which identity and OpenID Providers to trust. This is likely already solved in SSH3 as it supports OIDC. I just need to figure out how SSH3 does this.