OmniSSHAgent icon indicating copy to clipboard operation
OmniSSHAgent copied to clipboard

Published 20 hours ago verified publisher icon masahide

ecdsa-sk and ed25519-sk support

Open git-tec opened this issue 1 year ago • 8 comments

First of all great work you did here.

Is there any way to support you so that support for ecdsa-sk, ed25519-sk will be integrated in the future?

git-tec avatar Jul 20 '23 13:07 git-tec

It seems that the SSH package in Golang may support SK keys. I would like to test if it's possible when I have some time. https://github.com/search?q=repo%3Agolang%2Fcrypto%20SKED25519&type=code

masahide avatar Jul 21 '23 04:07 masahide

Is there any news on this topic yet?

git-tec avatar Aug 04 '23 15:08 git-tec

I am currently investigating how to use the SK key. The following is the progress of the check and TODO.

  • The golang crypto/ssh library defines the structure for the SK key, but it doesn't seem to have an interface ready to use the SK key.
  • OpenSSH uses the libfido2 library. How to use it from go? FIDO authenticator has several options.

TODO:

masahide avatar Aug 05 '23 05:08 masahide

You might be able to use ssh-sk-helper to your advantage.

https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

Using FIDO2 Keys with Windows Subsystem for Linux (WSL) on Windows

In addition to a native SSH client, the Windows OpenSSH beta release also contains an SSH_SK_HELPER that can be used to bridge the host’s FIDO2 support to WSL. All of this configuration must be done from inside the WSL environment, and relies on the Windows environment to be working correctly.

masahide avatar Aug 13 '23 07:08 masahide

https://www.reddit.com/r/yubikey/comments/11bot5f/minimum_requirements_for_notouchrequired_ssh/

It seems there are various challenges in using the no-touch-required option to enable key usage without touching. The YubiKey5 I have on hand doesn't work well with Openssh v9.2.2.0p1-Beta.

masahide avatar Aug 19 '23 05:08 masahide

Basically I think the no-touch feature makes little sense with Yubikeys, then I can create a key and put it on an encrypted drive and only mount it when needed. The "more" security is then simply moot.

git-tec avatar Aug 21 '23 08:08 git-tec

Hello, I got the ed25519-sk to work without changing the SSH library. You might find some ideas in go-ssh-sk-example.

ztmzzz avatar Mar 27 '24 14:03 ztmzzz

@ztmzzz Thanks for the ed25519-sk tip and the go-ssh-sk-example! Really appreciate it. 👍

masahide avatar Mar 29 '24 05:03 masahide

some news?

git-tec avatar Nov 15 '24 14:11 git-tec

@git-tec I apologize for the delay in addressing this issue. I am planning to allocate time to work on it and kindly ask for your patience a little longer.

Best regards,

masahide avatar Nov 20 '24 14:11 masahide