On Fri, 3 Jan 2020, Christian Weisgerber wrote:
> David Lang:
>
>> not supporting authentication from multiple machines seems to defeat
the
>> purpose of adding u2f support.
>
> It works just like other SSH key types. You have a private SSH key
> and a public one, and you can copy the private key to multiple
> machines or load it into ssh-agent and use agent forwarding.
>
> The only difference is that the private SSH key on its own is
> insufficient and requires the cooperation of the FIDO/U2F authenticator.
part of the value of u2f is that there is not anything that you need to install
on every system.
turning u2f into just a way to unlock ssh keys may be an easy way to use a u2f
key, but it's missing out on the value of u2f.
As I said, Google has a modified sshd that they use with u2f keys that does not
require anything be copied or stored on the client machine.
Yes, it modifies the protocol to pass a server/application name, but why is it
bad to add a new authentication mechanism? There is provision for the ssh
protocol to issue a prompt for a password, that could be (ab)used to pass the
name needed for u2f to work properly.
David Lang