In our case the program calculates tax liability from demographic and income information, but there are many potential uses, such file format conversions, statistical processing, etc. This type of service is usually provided via a webpage, but common browsers require substantial knowledge to script, and we want our tax calculator to be callable from within the users favorite statistical analysis program.
Notice that by secure, we mean in the sense that a public water fountain can be secure (against damage or misuse) without excluding any person from taking a drink. So we have no interest in using certificates to bypass passwords.
We should pick a protocol that is scriptable, widely available, and routinely allowed through firewalls. "Available" means available by default as many ptotential users are prohibited by security policies from installing software. The windows ftp client is scriptable, but institutional firewalls often block the only connection type provided by Windows ftp. None of the browsers are scriptable except by very knowledgable programmers.
We note that all Linux and OSX computers, and the Windows 10/11 OS since August 2nd, 2016 come with a functioning ssh client, (openssh) so we use that for the network connection.
We suppose that the filter program is prog and the userid for clients to use is proguser. We will use /bin/prog as the shell for that login, and publicize that login id. ssh conveniently will pass input redirected from a file to the specified shell. However, if users are to embed the process in scripts sshd will need to avoid prompting the user for a password, certificat authorization or printing a gratuitous hello message. So merely publishing the password with the login id is insufficient. Instead we modify several host configuration files.
port 22
port 80
port 443
to sshd_config
so that users behind ultra-strict firewalls could use the traditional http
ports, which are almost never restricted. Of course that means you can't
run a webserver on the same machine.
The first option disables host key checking where there is
no entry for the host, and the second option disables it
for the case where there is already an entry for the host.
Those actions would otherwise cause user prompts. Note that
there may be an ECDSA warning, but it goes to standard error
so that it won't disturb standard out.
It is of course quite a security hole if prog
allows user to start a shell, or has any buffer overflow
bugs. In our case the program was a fortran program that
reads lists of integers, and it does not call any external
programs. We could be sure that no input could cause
problems. sshd uses the user's default shell to
execute any passed commands, so that is not a way to
bypass prog.
We find that many users have very limited control of
their computing environment and are not sophisticated with
respect to modern computing patterns. In many cases it
would take years to obtain permission to install a binary,
and many users do not have access to compilers. Asking a
non-computing professional to deal with certificates is a
major obstacle to adoption and would not suppress all
prompts. Of course, everyone can upload from a browser,
but we wanted users to be able to embed the calculations
in a script written by us, or by themselves. Netcat would
solve many of our problems, but is not part of the default
install in any widely used system. Using ssh meets nearly
everyone's needs.
This has been tested on Freebsd 11.2,12.1 and 13.0. I don't see
why essentially the same thing shouldn't work in Linux (subject
to differences in the pam.d file names), but I haven't
tried it. Nor have I tried using pam_exec(8). Comments
and suggestions are welcome.
Widoch blogs knowledgably on this topic for Linux systems. See also
this on FreeBSD
.
Rationale
Daniel Feenberg
feenberg@nber.org
27 April 2023