My home network is currently sitting behind a DD-WRT router that I can access using public key authentication. Whenever I need to access something from my home network I can simply create an SSH tunnel from the DD-WRT router.
Providing my private key is kept safe and not compromised, I assume this is a pretty secure setup.
However, I would also like to be able to access the router even when I don't have an ssh client available and I only have a web browser available.
Can a secure solution be built (or are there existing services available) where I can use a web application (accessible via HTTPS) to access my router ?
I imagine the web application needs to be capable of creating an SSH connection to my DD-WRT router. For that, the web application needs to access my private key so it has to be sent to the web application.
I can imagine a couple of scenarios where
My private key is sent to the web application over https using a web form so that the web application can create the SSH connection. The web application receives the SSH key, doesn't persist the key to disk but keeps it in memory just to create the SSH connection.
A new keypair is generated specifically for the the web application. The web application stores the private key in its database and sends me the public key. The web application uses it to create the secure connection to my router. The web application would need to ensure that the private key is kept safe.
None of these scenarios make me feel very comfortable, but I don't know enough about security to make a proper assessment, and I would like to know if there are more appropriate solutions to this problem. (Having a web application act as an intermediary for doing this kind of SSH communication on behalf of the user ?)
Or is this something that is simply "not done".
You basically might chose one of the two approaches:
set up what is commonly referred to as an SSL VPN - a web gateway to the services you most desperately need which would encrypt via TLS and make the services accessible via HTTP
use an SSH client which is "available" even when you are sitting in front of a foreign computer - e.g. a Java applet like MindTerm.
The authentication problem you always would be having when logging in from untrusted computers could be resolved by either running 2-factor auth or one-time-passwords (or both) - take a look at OPIE to see how this could be done.
There are a few companies around which over WebSSH such as SerFish, GotoSSH and SSHD.org. Some will let you use a private key, and some will only work with a username and password. However none of these are suitable if you don't want to hand over a private key.
The alternative option to set up a webserver on a system and use a WebSSH client you can install on your system, such as Ajaxterm or Webshell these give you the added benefit of not having to provide your private key to anyone and allow you to be in full control of security, however have a disadvantage of requiring you to set up extra security on your webserver.