search for: ctap

Hello list! Recently, there was a request to implement CTAP 2.1 resident credential management to Trezor, a hardware wallet which already supports FIDO2 authentication (full CTAP 2.0). My colleague Andrew[1] raised some points on GitHub and I'd like to check with you what are we missing or whether Andrew is right. Thank you for your help and understan...

On Mon, 6 Jan 2025, Pavol Rusnak via openssh-unix-dev wrote: > Hello list! > > Recently, there was a request to implement CTAP 2.1 resident credential > management to Trezor, a hardware wallet which already supports FIDO2 > authentication (full CTAP 2.0). > > My colleague Andrew[1] raised some points on GitHub and I'd like to check > with you what are we missing or whether Andrew is right. > > Th...

On Tue, 2020-07-21 at 14:47 +1000, Damien Miller wrote: > On Mon, 20 Jul 2020, Jordan J wrote: [...] > > Firstly, would the following or some combination thereof be > > possible or is there an obvious impediment. Secondly, if it proved > > possible are the maintainers open to a patch providing it? > > > > 1. Update the SSH ecdsa-sk public key type to contain the

...name on which they are attached. Is it normal ? Can I delete all of these printer objects ? Look at this: ldbsearch -H /usr/local/samba/private/sam.ldb.d/DC\=DTCF\,DC\=ETECSA\,DC\=CU.ldb 'cn=*Laser*' dn ... # record 11139 dn: CN=PC014924-HP LaserJet 400 0026344862,CN=PC014924,OU=CTAP,OU=CFG,DC=dtcf,DC=etecsa,DC=cu # record 11140 dn: CN=PC014913-HP LaserJet Profession0015465899,CN=PC014913,OU=COMPUTERS,OU=CFG,DC=dtcf,DC=etecsa,DC=cu # record 11141 dn: CN=PC014878-hp LaserJet 1012 0024051305,CN=PC014878,OU=OFICINA_COMERCIAL,OU=CTCF,OU=CFG,DC=dtcf,DC=etecsa,DC=cu # returned 1...

...FIDO protocol, user verification is > independently requested during key creation and verification via > server (i.e.relying party in FIDO/WebAuthN terminology) side flags, > i.e. "user verification required" is not a per-key/credential, but > rather a per-operation property. CTAP 2.1 has a Credential Protection feature which allows a newly created credential to be mandatorily protected by the authenticator through some form of user verification, e.g. PIN entry. This is requested by ssh-keygen when generating a key with the verify-required option, see sk_enroll() in sk-usbh...

Hi, Based on my understanding of the FIDO protocol, user verification is independently requested during key creation and verification via server (i.e.relying party in FIDO/WebAuthN terminology) side flags, i.e. "user verification required" is not a per-key/credential, but rather a per-operation property. However, the `ssk-keygen` manpage states that: > verify-required >

...m the authenticator. Note that the authenticator will only allow this after the user has entered a PIN or a fingerprint etc. to confirm their identity to the authenticator, so again a simple theft of the authenticator does not provide an attacker with access. IIRC, the principal difference between CTAP 2.0 and 2.1 is that 2.1 allows the deletion of individual keys, whereas 2.0 only provides a reset of the authenticator that deletes all keys. That's an issue when the authenticator's storage capacity has been exhausted, but it has nothing to do with OpenSSH. -- Christian "naddy&quot...

>From my understanding, somehow a website talking through the web browser is able to get the same keypair used no matter which computer the keyfob is plugged into. I'm wondering if we can use the same mechanism there. If application is part of the process, maybe allowing the application to be specified by the user rather then being randomly generated by openssh would be enough? Thanks,

https://bugzilla.mindrot.org/show_bug.cgi?id=2319 Bug ID: 2319 Summary: [PATCH REVIEW] U2F authentication Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at