twisted
twisted copied to clipboard
#12001 Add OpenSSH FIDO2 security key support for server-side auth
Scope and purpose
Fixes #12001
This is a draft / prototype
I just created this code to see if someone else is interested in this feature.
How to test
with a Yubikey 5 (or one supporting FIDO2, the old ones don't work) generate a new Security key via your OpenSSH client.
ssh-keygen -t ecdsa-sk -O resident -O application=ssh:ecdsa-fido2-test
You will end up with a privake key reference (not the full private key) file and a public key file.
Add the public key file to Twisted SSH example server.
Start the server and then using OpenSSH client you can just use it as
# clean ssh hosts
ssh-keygen -f ~/.ssh/known_hosts -R "[localhost]:5022"
# try to connect
# OpenSSH will prompt to touch the security key
# Twisted SSH server will not prompt for password
ssh -p 5022 -i ~/.ssh/id_ecdsa_sk user@localhost
Todo
- Cleanup the code
- Break into separate PR...maybe one in which keys.Key() has support to load public keys from string and blob
- Create a separate PR to generate a SSH key or see if we can have this done in cryptography
- Add tests