openssh unix dev - Aug 2021 - OpenSSH support for FIDO RSA keys

Hello,
I would like to deploy FIDO for SSH. I wanted to leverage Windows Hello on
Windows clients as FIDO backend (so that I don?t have to buy hw tokens for
everyone and for convenience), but evidently my TPM flavor doesn?t support
ECDSA, only RSA.

Would it be possible to extend OpenSSH support to include ?rsa-sk? keys?

Not sure what the process is, but could development of it be sponsored?

Thank you
Jan

On Thu, 2021-08-19 at 11:25 +0200, Jan Schermer wrote:
> Hello,
> I would like to deploy FIDO for SSH. I wanted to leverage Windows
> Hello on Windows clients as FIDO backend (so that I don?t have to buy
> hw tokens for everyone and for convenience), but evidently my TPM
> flavor doesn?t support ECDSA, only RSA.
This likely means you have TPM 1.2
> Would it be possible to extend OpenSSH support to include ?rsa-sk?
> keys?
> 
> Not sure what the process is, but could development of it be
> sponsored?
The FIDO standard requires ECDSA keys (mainly, I suspect, because some
of the space constraints in the protocol are too small for RSA) so I
don't believe, even if you hacked the standard to support RSA keys,
that it would work in practice.

I'd strongly suggest you find a TPM 2.0 system, or simply use a FIDO
token via a non-TPM emulator to get ECDSA keys.

James