SSH with Facebook Auth

bhhaskin 9 years ago |

Wouldn't this give Facebook indirect control over your server? If Facebook wanted to they could just ban your account. Or change your password. Also it is far more likely that a hacker is going to gain access to your Facebook account over well protected SSH.

nl 9 years ago | |

In this specific case, yes. But this is a specific, fun, "try out a server" thing.

In "real life" you can setup SSH to fall back to other methods. See the howtos for setting up 2-Factor Auth[1] for example.

[1] https://www.digitalocean.com/community/tutorials/how-to-set-...

eatbitseveryday 9 years ago | |

I think the idea is that you would use their service to specify the authentication method, and they would provide the ability to log in via that specification. They aren't forcing you to use FB; it is merely a demo of one of many authentication methods they'd be able to let you choose from:

> an experiment where you can share your servers with your friends by using Facebook as the authentication mechanism. It’s a quick way to show how versatile the ScaleFT authentication platform can be: Give us a reliable authentication mechanism, and we can log you into a server with it.

bhhaskin 9 years ago | | |

Still. The idea that it is a service means that you are still handing over indirect control.

russell_h 9 years ago | | |

Hey, one of the founders of ScaleFT here.

You're absolutely right that when you're using ScaleFT you're trusting both us (as operators of the CA) and your identity provider (in this case Facebook, but we have a bunch of other options more suitable for most businesses).

Handing over control isn't necessarily a bad thing. For example, I trust Google to operate a secure and reliable email service much more than I trust myself, leaving me to focus on my area of expertise. But trust is a complex thing and there are certainly situations where handing control to any third party is unacceptable.

For organizations that require complete control we can integrate with any SAML or OpenID Connect identity system, and we offer an on-premise version of ScaleFT.

0xmohit 9 years ago | | |

> I trust Google to operate a secure and reliable email service much more than I trust myself

Hopefully, Google would soon integrate features that let it auto-reply to your incoming messages. It can be trusted more, after all.

cvs268 9 years ago | | |

> I trust Google to operate a secure and reliable email service much more than I trust myself

This sentence has got nothing to do with trust. You believe (maybe rightly so) that Gmail is more secure and reliable than any solution that can be cobbled-up individually.

Simply replacing "believe" with "trust" doesn't really mean the same though. English is a funny language. But then again that's what you probably meant when you said "Trust is a complex thing". Hmmmm... :)

castratikron 9 years ago |

Tell me when the opposite happens, when I can use a key pair to login to Facebook.

xufi 9 years ago | |

and still have them ask for your phone number! . I'd also love if you could log in to Messages with a key pair

findyoucef 9 years ago |

This sounds like a horrible idea.

0xmohit 9 years ago | |

This is yet another neat mechanism of giving up control. By using Google/Chrome, you inform Google of pretty much what you're doing. Now the same thing is being extended to ssh.

nl 9 years ago |

I think [1] is a better link, which actually explains how it works.

[1] https://coreos.com/blog/international-friendship-day.html

visarga 9 years ago |

I'd downvote this if I had the points. It's anti-security to trust your SSH login to anyone.

unixhero 9 years ago |

You've got to be kidding me.

0xmohit 9 years ago |

Facebook: All your servers are belong to us.

LinuxBender 9 years ago |

If this becomes popular, I will build a new internet.

LinuxBender 9 years ago | |

Someone is even beating me to it. [1]

[1] https://news.ycombinator.com/item?id=12256866