The 'Public Key Authentication' add-on provides access to an application through a different method that the normal login process. The add-on verifies the authenticity of the login credentials using a public key. You may know this method from SSH authentication using DSA public/private keys.

Requirements

This add-on requires the PHP OpenSSL extension.

Note: This is only the server. To log in you need a client. An example client can be downloaded from http://github.com/jasny/backdoor.

Why would you need this?

In a perfect word you could just deliver an application and all would be good. However in the real world there are unforeseen issues which need to be solved. This means that you as a developer will need access to the application. To reproduce the problem, you usually want to run the application logged in as the user that spotted the issue.

With concrete5 you can make an admin user and switch to any user in the system. This is fine if you’re the only developer working on these applications. However in a professional environment this solution won’t do. If you're managing a lot of c5 sites, it will be a tedious job to lock a developer out completely.

The secure way

It is easier if there is a project management system where you and other developers can log into. From within that system, the developer can directly login the concrete5 website as any user. Within that application you can configure on which team each developer is. That limits to which applications the developer has access. More important, simply blocking the user account on the project management system will lock the developer out completely.

This can be done by using a public/private system. The concrete5 site has a public key and the client (project managment system) has the private key. The client signs the sign the username and URL. The concrete5 backdoor controller verifies this and logs in (without asking for a password).

Alternative use

Another use of this add-on is in a situation where you want to allow a user to bypass the authentication. For example if you have a (web hosting) control panel where the user is already logged in, you can allow him to directly access the dashboard of the application without have to enter his password again. This requires a backdoor, since you don’t know his (unencrypted) password.

Generating the keys

The keys can be generated on the (*nix) command line, using the ‘openssl’ binary. I’m using RSA keys, but DSA should also work if preferred.

# Generate private key
openssl genrsa -out master.key 1024
# Generate public key
openssl rsa -in master.key -pubout -out master.pub

The public key should be copied to the '/config/pubkeys' directory of the concrete5 site. Make sure the private key is absolutely private. Anybody who has a copy of that, can use the backdoor.

Links

• Also read the article 'A secure backdoor for PHP'
• Wikipedia 'Public key cryptography'
• This is a github project (Fork me!)
• Contact me on twitter @JasnyDaniels