libfido2 icon indicating copy to clipboard operation
libfido2 copied to clipboard

Published 20 hours ago verified publisher icon Yubico

Feature Request: Ability to build verify-only routines without udev being present

Open aaronmdjones opened this issue 4 years ago • 2 comments

I would like the ability to build libfido2 without having to build against udev. Put simply, I would like to be able to use the library to verify FIDO signatures and such, but I don't need to be able to talk to any local FIDO hardware tokens.

This would end up being useful for OpenSSH, which has libfido2 as a dependency (if you build it with FIDO security key support). At the moment, OpenSSH with FIDO support is unusable on a machine that does not have udev, even if you only want to use FIDO functionality in the OpenSSH server on that machine.

aaronmdjones avatar Mar 13 '21 14:03 aaronmdjones

I would like the ability to build libfido2 without having to build against udev. Put simply, I would like to be able to use the library to verify FIDO signatures and such, but I don't need to be able to talk to any local FIDO hardware tokens.

That is a fair request. There is prior art in that regard; for reference, libfido2 has been patched not to use udev here: https://github.com/oasislinux/libfido2/commit/eec0c3a3cf1528185c8e1bdcf94733e27d5d8d51#diff-10af2e83f2ada0a5e41a2b34a1a8b4fc889b4b7c768254c47fe883fd40613e13.

This would end up being useful for OpenSSH, which has libfido2 as a dependency (if you build it with FIDO security key support). At the moment, OpenSSH with FIDO support is unusable on a machine that does not have udev, even if you only want to use FIDO functionality in the OpenSSH server on that machine.

I don't think that's true; OpenSSH only uses libfido2 when it needs to talk to a FIDO device. As such, the only feature you lose by not activating the bits and pieces that use libfido2 in a OpenSSH server is the ability to use a FIDO device to store the host key; the verification of FIDO signatures is unaffected.

martelletto avatar Mar 13 '21 18:03 martelletto

I don't think that's true; OpenSSH only uses libfido2 when it needs to talk to a FIDO device. As such, the only feature you lose by not activating the bits and pieces that use libfido2 in a OpenSSH server is the ability to use a FIDO device to store the host key; the verification of FIDO signatures is unaffected.

Oh, my bad, I'd completely missed the sk-* key types in the output of $ ssh -Q key when built without security key support.

Well, this is a bit invalid then, but I'll leave the issue open due to your prior art link.

aaronmdjones avatar Mar 13 '21 21:03 aaronmdjones