Scott C Wang wrote:> I implement a SecurityKeyProvider that prints a https URL upon sk_sign. > I open this URL in Google Chrome. The script on the page calls the > webauthn authentication API; Google Chrome prompts me to choose an > authentication method, and I pick my phone. Authenticating my > fingerprint on my phone yields a webauthn signature to the script, > which POSTs the signature, origin, clientData, and extensions back > to the same URL. The SecurityKeyProvider polls the URL (or some > endpoint) until the signature arrives, which it returns, along with > the origin, clientData, and extensions, to the OpenSSH client. > The OpenSSH client now has what it needs to pack a > "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature message, > all of which the OpenSSH server currently already supports validating...> have I gone mad?FWIW I think the data spray and the complexity are mad, each on their own. I guess that it'll be popular, I hope not in mainline OpenSSH. ;) //Peter
Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it. ________________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov at mindrot.org> on behalf of Peter Stuge <peter at stuge.se> Sent: Tuesday, January 11, 2022 10:31 AM To: openssh-unix-dev at mindrot.org Subject: Re: webauthn signatures: SecurityKeyProvider, json parsing Check twice before you click! This email originated from outside PNNL. Scott C Wang wrote:> I implement a SecurityKeyProvider that prints a https URL upon sk_sign. > I open this URL in Google Chrome. The script on the page calls the > webauthn authentication API; Google Chrome prompts me to choose an > authentication method, and I pick my phone. Authenticating my > fingerprint on my phone yields a webauthn signature to the script, > which POSTs the signature, origin, clientData, and extensions back > to the same URL. The SecurityKeyProvider polls the URL (or some > endpoint) until the signature arrives, which it returns, along with > the origin, clientData, and extensions, to the OpenSSH client. > The OpenSSH client now has what it needs to pack a > "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature message, > all of which the OpenSSH server currently already supports validating...> have I gone mad?FWIW I think the data spray and the complexity are mad, each on their own. I guess that it'll be popular, I hope not in mainline OpenSSH. ;) //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&data=04%7C01%7CKevin.Fox%40pnnl.gov%7Ce22d8ea52399494a387208d9d530e42a%7Cd6faa5f90ae240338c0130048a38deeb%7C0%7C0%7C637775228267088932%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=DHoJZiyxh8w35fqkDuauIVmnPFOH9mgZxECsdcoEckQ%3D&reserved=0
Damien Miller
2022-Jan-11 22:44 UTC
webauthn signatures: SecurityKeyProvider, json parsing
On Tue, 11 Jan 2022, Peter Stuge wrote:> FWIW I think the data spray and the complexity are mad, each on their own. > > I guess that it'll be popular, I hope not in mainline OpenSSH. ;)The SecurityKeyProvider interface exists largely to make this sort of experimentation possible outside of OpenSSH itself. -d