26 April, 2011

ssh-like login with openid

I rigged together shellinabox and mod_auth_openid with some custom PAM glue so people can log into my hobby server s0.barwen.ch with an in-browser terminal window and openid.

shellinabox is not ssh (although web-based ssh is a good approximation). Instead it seems to be AJAX-over-https (which is kinda wtf for terminal access, but hey it seems to work).

The way I've glued it together is: First you visit the login page. That is an openid protected CGI script. The script runs with your openid in $REMOTE_USER, and does three things: it maps your openid to a local username; it generates (via sudo) an authentication token for you; and it HTTP-meta-redirects you to a hacked version of shellinabox.

shellinabox gives you a login prompt, asking for username and password. My hacked version stuffs the username and authentication token from the previous step into the keyboard.

The token ends up at a custom PAM module which verifies that the token is valid (for that user, and within a small time window after issue) and lets you in.

Then you get your shell prompt.

This seems like an interesting addition to barwen.ch's collection of login methods.

If you want a play, you can sign up at s0.barwen.ch

Also, if you break this, let me know rather than deleting / ...


  1. Hi this is very interesting and kudos your service and what you have done here. I'm trying to do something similar with a customized webconverger colocation client kiosk. Basically just a browser-only where I will have a custom file-based homepage that will include shellinabox... however I want to have a user just to input any username and without a password and be able to login via shellinabox... then they would be in a jailed terminal via an auto-created chroot based on the username they enter... is this doable? My modifed webconverger has X restarting after 10 minutes of inactivity. So if I can get this to work I will also include in the reset X script to wipe out any user directories that were created by shellinabox. I'd be grateful for any help on this.

  2. so is the user already logged into your homepage somehow? as long as you can call out to a unix command just before login (eg via a CGI script) and pass it the real username that you trust (eg through your own homepage login) then this should work basically the same. email me benc@hawaga.org.uk and I'll send you the code (and maybe get round to packaging it for release)