How to securely login over HTTP when you have SSH access?

Without SSL, your connection can be preyed upon by eavesdroppers: they can see the data, they can also alter the data, and generally hijack your connection once you have authenticated. They can do that regardless of the authentication method.

If you assume that there is no malicious individual who can see and/or modify traffic in-transit, then... there is no security problem, and basic authentication (as in "show the password") would work equally well.

So I can sum it up as: your one-time link obtained over SSH does not provide any significant improvement on security. Without SSL, the App was weak and is still weak. So I'd say, don't bother with it, in particular because forcing a SSH connection whenever a user wants to use the App is a big usability issue.

Instead, use SSL.


Could I do better?

Yes, use SSL. This is a solved problem. We know how to do HTTP security, and you're trying to invent your own scheme. It's a bad idea. Don't do it.


If you have SSH access, why not use an SSH tunnel?

ssh -L 8080:localhost:80 user@host
firefox http://localhost:8080

If you verified the SSH fingerprint, this is more secure than HTTPS: in HTTPS, you still have to trust all certificate authorities; with ssh, assuming you verified the fingerprint correctly, you know that it is the right server without a trusted third party.