Web Tunnels · pico.sh

What are Webtunnels?

By leveraging SSH tunnels, we can use pubkey cryptography to authenticate users on the web. No passwords, no JWTs, no bearer tokens, no complicated webauthn, and no passkeys. All we need is an SSH keypair.

SSH port forwarding, also known as SSH tunneling, is the process of transmitting data over an encrypted secure shell connection between a local and distant server. It allows users to access services that firewalls would otherwise restrict or prevent. In our case, it allows us to authenticate and authorize users using only their SSH keypair.

Here is the source code for the tunkit library.

The way it works is the implementer would create an SSH app (using tunkit) that supports port forwarding, for example:

1ssh -L 1337:localhost:80 -N pico-ui@pgs.sh

Then the user can access the site using http://localhost:1337 and it will be automatically authenticated for that user. There's no need to pass around authentication tokens because every http request through that endpoint will already be "marked" with that user's pubkey.