pushing this and this further (although rather in the wishlist priority): would it make sense for users to have a
$USER/credentials page that is by default locked to the user and admins, where the user can state one or more of the below?
- ssh public key (would require an additional mechanism for writing this to a
authorized_keysfile with appropriate environment variables or prefix that makes sure the commit is checked against the right user and that the user names agree)
- gpg public key (once there is a mechanism that relies on gpg for authentication))
- https certificate hash (don't know details; afair the creation of such certificates is typically initiated server-side)
- password hash (this is generally considered a valuable secret; is this still true with good hashes and proper salting?)
I was just thinking about something along these lines myself. The idea, if I understand correctly, is to allow users to have multiple login options all leading to the same identity. This would allow a user to login for example via either their Google account or their WordPress account, while still being identified as the same user.
However, I'm not sure this should be a static page (I guess you mean
$USER/credentials, I don't think ‘creditentials’ actually exists). Something entirely managed at the CGI level is probably better, as it also helps keeping the data in its place (such as ssh public keys in
having multiple login options leading to the same identity, and (more important to me) giving the user an easy way to review and edit them. i'm thinking a bit of foaf+ssl style "i am $USER and you can recognize me by my client certificate $CERTIFICATE" statements.
the reason why i want this in a static place instead of cgi level is that it can be used, for example, for automatically creating htpasswd files for read-only (cgi-less) replicas of private wikis. furthermore, it all gets versioned and it can easily be seen where the data really is. the credentials have to be filed appropriately by plugins anyway, but that can happen as a part of the regular rebuild process.
and yes, you're right about the word misusage; thanks for pointing it out and fixing it.
an issue to be considered: for ways of authentication that don't explicitly mention the user name (and that would be everything but password; especially OpenID), there has to be a way to prevent users from hijacking an admin's account. the user wouldn't get more privileges, but the admin could find himself logged in as a user instead of an admin when he logs in using his OpenID, for example. he could fix it by removing the openid from the user's ("his") page, but it has to be taken care of nevertheless. --chrysn