
SSH Key Based API Authentication - HerrSpace
https://blog.the-space.agency/2020/03/16/ssh-key-based-api-authentication/
======
tptacek
_any worthwhile API should offer some form of public /private key cryptography
based authentication._

No. In fact, for API authentication, you want generally the least amount of
cryptography you can get away with. A 128-bit random token, if you can. An
HMAC'd token if you can't; if that's not enough, and you absolutely have to, a
symmetrically-encrypted token. Asymmetric cryptography in an API design is
usually a design smell, and a weakness.

This design, in particular, seems like a very bad idea. The reuse of any
cryptography key in a new, different context should always make you break out
in hives.

~~~
bobwaycott
Could you expand on the reasoning behind your comments a bit more—specifically
why this is bad for _APIs_?

I’m sure the OP and plenty of others would appreciate it.

~~~
detaro
These arguments apply pretty much universally. If you want an additional ones
specific to APIs: People will likely want to talk to your API from all kinds
of environments/languages, and existence and quality of crypto APIs in those
will vary widely. It's also not something that's commonly done, so developers
are unfamiliar with it, which increases both their frustration and the risk
they make mistakes.

If you talk to public APIs, you're probably at some point encountering OAuth.
It's not an accident that OAuth 2 has gotten rid of crypto and instead leaves
it to the transport (HTTPS), where people are familiar with its use, nearly
always have libraries etc available that handle it correctly for them, and
upgrades on that layer, e.g. to new TLS versions, do not require OAuth 2 to
change.

------
psanford
Joyent did http request signing using ssh keys[0]. Their cli tools used this
mechanism. There's been some effort to carry this forward through the
standards process[1].

I'm not going to comment on whether this is a _good idea_. It is a clever way
to leverage tools already available in dev environments to deploy API keys
with encryption and hooked into your OS keyring (via the ssh-agent).

[0]: [https://github.com/joyent/node-http-
signature/blob/master/ht...](https://github.com/joyent/node-http-
signature/blob/master/http_signing.md)

[1]: [https://datatracker.ietf.org/doc/draft-cavage-http-
signature...](https://datatracker.ietf.org/doc/draft-cavage-http-signatures/)

------
shurco
We made sharing of server access simple and secure. Now users connect to all
servers accessible to them, with a single sign-on using their login and their
private key. We do not change the way to work on servers, we change the way to
connect to them. Easy to use - [https://werbot.com](https://werbot.com) It is
relevant now!!

