That works for me. I noticed though that if you use
--with-security-key-builtin and it can't find the library to actually
use the builtin it's not treated as an error. Perhaps it should be
given the explicit indication that it's expected?
I've also updated the pull request on github that switches it from a
number to mnemonic flags to apply cleanly to the current master and
update the ssh-keygen manpage. I can also send it though another
medium instead of github if that's preferred?
On Fri, Nov 15, 2019 at 5:14 AM Damien Miller <djm at mindrot.org>
wrote:>
> On Fri, 15 Nov 2019, Damien Miller wrote:
>
> > On Fri, 1 Nov 2019, Damien Miller wrote:
> >
> > > Hi,
> > >
> > > As of this morning, OpenSSH now has experimental U2F/FIDO
support, with
> > > U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at
openssh.com"
> > > or "ecdsa-sk" for short (the "sk" stands for
"security key").
> >
> > An update on this: I've just committed internal support for
U2F/FIDO2
> > security keys to OpenSSH. If ./configure can find a compatible
libfido2
> > then it will be used automatically, with no additional configuration
> > required in OpenSSH tools. You should use libfido2 HEAD for now until
> > they make their next release.
> >
> > Practically, this means that you can just run "ssh-keygen -t
ecdsa-sk"
> > and it will work without fiddling with middleware binaries, etc.
> >
> > Please give this a try - security key support is a substantial change
and
> > it really needs testing ahead of the next release.
>
> One more note: you'll need to pass --with-security-key-builtin to
> configure to enable the built-in security key support. If it finds
> the libraries that it depends on then you should see something like:
>
> U2F/FIDO support: built-in
>
> In configure's final summary.
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev