
Ask HN: Why is SSH So Seldom Used to Login to Websites? - Normille
Many of us who maintain servers will be logging into them via SSH. It takes a bit of setting up on the command line to create the key pairs to start with. But, once it&#x27;s done, it&#x27;s pretty seamless; we can login without having to bother with a password.<p>I&#x27;ve often wondered why the same system is never[0] used more generally for accessing websites where we need to login?<p>It seems to me that wrapping in a user-friendly GUI; the various terminal commands for creating an SSH key pair and making the public key available &#x27;somewhere&#x27; for upload would be a fairly simple task. Likewise with providing a GUI to allow the user to then send that public key to any website that the user wanted to create a login for.<p>From a security point of view, it would also seem to be a no-brainer.  The key uploaded to the website is the public key, so any security breach on that website would only net the hackers a load of public keys which are openly available anyway.<p>This kind of login would do away with the need to remember any passwords at all [not even a master password for a password manager] and would also seem to mitigate the danger of people using the same password on various sites.  It wouldn&#x27;t matter if someone used the same public key on various sites, as it&#x27;s not meant to be a secret anyway.<p>I&#x27;m not a security expert. So no doubt I&#x27;m missing some really obvious downside here --the only one I can think of is that we&#x27;d need a different &#x27;login&#x27; for each device you use, which would somehow need to be linked together into the same user account on any website-- but, apart from that I can&#x27;t see why SSH logins are not more widely used.<p>So, come on you smart HN-ers. What glaringly obvious gotcha have I overlooked?<p>[0] The only site I can think of that allows me to login with my SSH public key is Github. And, even then, the setup involves creating the key via terminal and then pasting it into a form. Definitely not something granny could do.
======
phillipseamore
Client certificates are standardized for TLS over HTTP and most web servers
and user agents support them. It's never caught on though in general usage,
I've only ever used it on some highly specific B2B sites and banking a decade
ago. Client certificates are usually not issued by a real CA, but rather by
the site itself, so it's fundamentally similar to SSH.

------
staktrace
WebAuthn is basically this, public key crypto applied to web login.

