> On Jul 1, 2020, at 02:15, Nikos Mavrogiannopoulos <n...@redhat.com> wrote:
>
> On Tue, Jun 30, 2020 at 1:59 AM Felipe Gasper <fel...@felipegasper.com>
> wrote:
>>
>> Hello,
>>
>> I want to rig up a simple authentication based on SSH keys but over a
>> preexisting TLS connection.
>>
>> Since TLS already handles the encryption, would the authentication be
>> as simple as verifying a decode of a string that the public key encodes?
>>
>> Is there any prior art for this?
>>
>> (I realize this isn’t really on-topic for this list, but I’m not sure
>> where else to ask … ?)
>
> If you have a TLS channel you could use the raw public key
> authentication (rfc7250) feature of TLS to authenticate each party. In
> that case it doesn't matter whether you have SSH keys or any other
> types of keys, you only need to read them and feed them to your
> implementation as raw public keys. That way you stay within the TLS
> protocol design.
The problem is that we don’t know at TLS time which authentication mechanism
will be used: password, or SSH key. Otherwise, yeah, this would be perfect.
-F
