On Fri, 3 Jan 2020, Christian Weisgerber wrote:> David Lang: > >> not supporting authentication from multiple machines seems to defeat the >> purpose of adding u2f support. > > It works just like other SSH key types. You have a private SSH key > and a public one, and you can copy the private key to multiple > machines or load it into ssh-agent and use agent forwarding. > > The only difference is that the private SSH key on its own is > insufficient and requires the cooperation of the FIDO/U2F authenticator.part of the value of u2f is that there is not anything that you need to install on every system. turning u2f into just a way to unlock ssh keys may be an easy way to use a u2f key, but it's missing out on the value of u2f. As I said, Google has a modified sshd that they use with u2f keys that does not require anything be copied or stored on the client machine. Yes, it modifies the protocol to pass a server/application name, but why is it bad to add a new authentication mechanism? There is provision for the ssh protocol to issue a prompt for a password, that could be (ab)used to pass the name needed for u2f to work properly. David Lang
On Fri, 3 Jan 2020, David Lang wrote:> On Fri, 3 Jan 2020, Christian Weisgerber wrote: > > > David Lang: > > > > > not supporting authentication from multiple machines seems to defeat the > > > purpose of adding u2f support. > > > > It works just like other SSH key types. You have a private SSH key > > and a public one, and you can copy the private key to multiple > > machines or load it into ssh-agent and use agent forwarding. > > > > The only difference is that the private SSH key on its own is > > insufficient and requires the cooperation of the FIDO/U2F authenticator. > > part of the value of u2f is that there is not anything that you need to > install on every system.Well, see what I said earlier about resident keys. If you have a FIDO2 token and generate a resident key then you don't need to pre-arrange anything.> As I said, Google has a modified sshd that they use with u2f keys that does > not require anything be copied or stored on the client machine.I'm fairly sure that this isn't the case. Can you point me at some documentation of this? -d
On Mon, 6 Jan 2020, Damien Miller wrote:> On Fri, 3 Jan 2020, David Lang wrote: > >> On Fri, 3 Jan 2020, Christian Weisgerber wrote: >> >>> David Lang: >>> >>>> not supporting authentication from multiple machines seems to defeat the >>>> purpose of adding u2f support. >>> >>> It works just like other SSH key types. You have a private SSH key >>> and a public one, and you can copy the private key to multiple >>> machines or load it into ssh-agent and use agent forwarding. >>> >>> The only difference is that the private SSH key on its own is >>> insufficient and requires the cooperation of the FIDO/U2F authenticator. >> >> part of the value of u2f is that there is not anything that you need to >> install on every system. > > Well, see what I said earlier about resident keys. If you have a FIDO2 token > and generate a resident key then you don't need to pre-arrange anything.I'd much rather register the token with each foreign host than have to install a key on all devices that I may end up authenticating from.>> As I said, Google has a modified sshd that they use with u2f keys that does >> not require anything be copied or stored on the client machine. > > I'm fairly sure that this isn't the case. Can you point me at some > documentation of this?I worked there and could use my token from any computer without having to do anything other than insert the key. As a SRE, I also carried an encrypted USB drive that contained one-time-passwords just in case then u2f based tokens didn't work. David Lang