A secure PHP web application that provides SSH key-based authentication through a challenge-response protocol. This server-side component works in conjunction with the ssh-auth-extension Chromium browser extension to enable passwordless authentication using SSH keys.
Traditional password-based authentication has significant security and usability challenges. This webapp implements a modern approach using asymmetric cryptography (SSH keys) for user authentication, providing:
- Decentralized Identity: Users maintain full control over their private keys
- Universal Authentication: Works across participating web services
- Automatic Login: Seamless authentication once configured
- Maximum Security: Cryptographic strength of SSH key authentication
- Privacy Protection: No external transmission of sensitive key material
- SSH Key Registration: Secure account creation with SSH public key storage
- Challenge-Response Authentication: Stateless verification using cryptographic signatures
- Session Management: Secure HTTP-only cookies with automatic expiration
- Account Management: User profile and SSH key management interface
- XSS Prevention: Input sanitization and output encoding
- CSRF Protection: Token-based form validation
- HTTPS Enforcement: Secure transport requirements
- Key Security: Public key only storage (private keys remain client-side)
- Progressive Enhancement: Graceful degradation without extension
- Responsive Design: Mobile-friendly interface
- Clear Feedback: Comprehensive error messages and status indicators
- Accessibility: Screen reader compatible and keyboard navigable
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β Web Browser β β Web Server β β MySQL DB β
β β β (Apache/PHP) β β β
β βββββββββββββββ βββββΊβ βββββΊβ βββββββββββββββ β
β βssh-auth- β β β βββββββββββββββ β β βuser_accountsβ β
β βextension β β β βPHP App β β β βtable β β
β βββββββββββββββ β β βββββββββββββββ β β βββββββββββββββ β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
- Challenge Generation: Server creates random challenge encrypted with user's SSH public key
- Challenge Presentation: Encrypted challenge sent to client via web form
- Extension Processing: Browser extension decrypts challenge using user's private key
- Response Submission: Extension provides cryptographic signature for verification
- Verification: Server validates signature against original challenge
- PHP: 7.4+ with OpenSSL extension
- MySQL: 5.7+ for user account storage
- Apache: 2.4+ with mod_php
- HTML5: Semantic markup and forms
- CSS3: Responsive styling and animations
- JavaScript (ES6+): Client-side validation and extension communication
- OpenSSL: Cryptographic operations
- PHP Sessions: Secure session management
- Content Security Policy: XSS prevention
- Operating System: Linux (Ubuntu/Debian recommended)
- Web Server: Apache 2.4+ with mod_php
- Database: MySQL 5.7+ or MariaDB 10.3+
- PHP: 7.4+ with required extensions:
mysqliopensslsession
- Chromium-based browsers: Chrome 88+, Edge 88+, Brave, etc.
- ssh-auth-extension: Required for authentication functionality
- Git: Version control
- Composer: PHP dependency management (if needed)
- SSH Client: For deployment and testing
git clone https://github.com/jetpen/ssh-auth-webapp.git
cd ssh-auth-webapp
cd tests
bash setup_test_env.sh
# edit test_context.sh with location and credentials for accessing the web server
bash setup_test_env.sh
# login to web server and verify that the files have correct permissionsCreate a MySQL database and user:
CREATE DATABASE ssh_auth_db;
CREATE USER 'ssh_auth_user'@'localhost' IDENTIFIED BY 'your_secure_password';
GRANT ALL PRIVILEGES ON ssh_auth_db.* TO 'ssh_auth_user'@'localhost';
FLUSH PRIVILEGES;Copy includes/config-template.php to includes/config.php and edit:
define('DB_HOST', 'localhost');
define('DB_NAME', 'ssh_auth_db');
define('DB_USER', 'ssh_auth_user');
define('DB_PASS', 'your_secure_password');Configure Apache virtual host pointing to src/ directory:
<VirtualHost *:80>
ServerName your-domain.com
DocumentRoot /path/to/ssh-auth-webapp/src
<Directory /path/to/ssh-auth-webapp/src>
AllowOverride All
Require all granted
</Directory>
</VirtualHost>Configure SSL certificate (Let's Encrypt recommended):
sudo certbot --apache -d your-domain.comAccess https://your-domain.com/setup.php to create database tables by clicking the button.
- Visit the application homepage
- Click "Sign Up" to create an account
- Provide unique username and SSH public key
- Account created successfully
- Access protected pages (e.g., account summary)
- If unauthenticated, redirected to login challenge
- ssh-auth-extension automatically processes challenge
- Successful authentication redirects to intended page
- Users generate SSH keys using standard tools (
ssh-keygen) - Public keys uploaded during registration
- Private keys remain securely stored client-side
- Extension manages private key operations
# Install vendor packages
composer install
# Configure test context
cp tests/test_context.sh.template tests/test_context.sh
# Edit tests/test_context.sh with your values
# Set up test environment with vendor packages
./tests/setup_test_vendor.sh
# Set up test environment with app
./tests/setup_test_app.shAdditional steps must be taken to change user and group ownership of the files on the Web server. Also, change the permissions on the files and directories to enable the Web server to read them.
- Unit Tests: PHP syntax validation completed
- Integration Tests: Manual browser testing with extension
- Security Tests: Input validation and XSS prevention verified
tests/setup_test_env.sh: Remote deployment setuptests/test_context.sh.template: Test configuration template
ssh-auth-webapp/
βββ src/ # Web application source
β βββ index.php # Landing page
β βββ signup.php # Account creation
β βββ account.php # Protected account page
β βββ auth.php # Authentication handler
β βββ setup.php # Database setup
β βββ logout.php # Session cleanup
β βββ includes/ # PHP libraries
β β βββ config.php # Database configuration
β β βββ functions.php # Utility functions
β β βββ auth.php # Authentication logic
β βββ css/ # Stylesheets
β βββ js/ # Client-side scripts
βββ tests/ # Test scripts and configuration
βββ memory-bank/ # Project documentation
βββ README.md # This file
- Fork the repository
- Create feature branch:
git checkout -b feature/your-feature - Make changes following PHP best practices
- Test thoroughly with ssh-auth-extension
- Submit pull request
- PHP: PSR-12 coding standards
- Security: OWASP guidelines compliance
- Documentation: Comprehensive inline comments
- Testing: Manual testing with extension required
- Use GitHub Issues for bug reports
- Include browser version and extension status
- Provide steps to reproduce issues
- Include relevant log entries
This project is licensed under the Apache License - see the LICENSE file for details.
- ssh-auth-extension: Chromium browser extension for SSH key operations
- OpenSSH: SSH protocol implementation
- PHP OpenSSL: Cryptographic operations
- Never transmit private keys over any network
- Client-side storage only for private keys
- Extension custody of cryptographic operations
- HTTPS required for all communications
- Secure session cookies with proper expiration
- Input validation on all user data
- Regular security updates for all components
- Unique SSH keys per service recommended
- Regular key rotation for enhanced security
- Backup strategies for account recovery
- Memory Bank - Comprehensive project documentation
- API Reference - Technical specifications
- Issues: Bug reports and feature requests
- Discussions: General questions and community support
Built with β€οΈ using PHP, MySQL, and modern web standards