twisted icon indicating copy to clipboard operation
twisted copied to clipboard

Published 20 hours ago verified publisher icon twisted

Add support for FIDO2 pubkey auth for SSH server

Open adiroiban opened this issue 9 months ago • 8 comments

This is to implement the userauth server-side of https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f

The security key (sk-) implementation is for now only OpenSSH specific.

The GitHub.com server (SSH-2.0-babeld-70f1bac9 but maybe OpenSSH in the backend) also supports it.

For the scope of this ticket, my plan is to have support only for:

This means:

  • Load public blob
  • validate signature

Certificates are out of scope. WebAuthN is out of scope.

In the past, getting yubikey to work with SSH was a pain via PGP or SmartCard

With this, OpenSSH has direct access to the fido2 keys.

adiroiban avatar Sep 24 '23 20:09 adiroiban