Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it. ________________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov at mindrot.org> on behalf of Peter Stuge <peter at stuge.se> Sent: Tuesday, January 11, 2022 10:31 AM To: openssh-unix-dev at mindrot.org Subject: Re: webauthn signatures: SecurityKeyProvider, json parsing Check twice before you click! This email originated from outside PNNL. Scott C Wang wrote:> I implement a SecurityKeyProvider that prints a https URL upon sk_sign. > I open this URL in Google Chrome. The script on the page calls the > webauthn authentication API; Google Chrome prompts me to choose an > authentication method, and I pick my phone. Authenticating my > fingerprint on my phone yields a webauthn signature to the script, > which POSTs the signature, origin, clientData, and extensions back > to the same URL. The SecurityKeyProvider polls the URL (or some > endpoint) until the signature arrives, which it returns, along with > the origin, clientData, and extensions, to the OpenSSH client. > The OpenSSH client now has what it needs to pack a > "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature message, > all of which the OpenSSH server currently already supports validating...> have I gone mad?FWIW I think the data spray and the complexity are mad, each on their own. I guess that it'll be popular, I hope not in mainline OpenSSH. ;) //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&data=04%7C01%7CKevin.Fox%40pnnl.gov%7Ce22d8ea52399494a387208d9d530e42a%7Cd6faa5f90ae240338c0130048a38deeb%7C0%7C0%7C637775228267088932%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=DHoJZiyxh8w35fqkDuauIVmnPFOH9mgZxECsdcoEckQ%3D&reserved=0
Brian Candler
2022-Jan-11 19:24 UTC
webauthn signatures: SecurityKeyProvider, json parsing
On 11/01/2022 18:52, Fox, Kevin M wrote:> Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it.You can also trade an OIDC login for an SSH certificate, using Hashicorp Vault (amongst other solutions)