search for: fido

OK, I know I''m doing something bone-headed, but I can''t for the life of me figure it out. I''ve read the test fixtures Rdoc about eight dozen times, and it says (to me) that if I have a YAML fixture file, dogs.yml that looks like this: fido: id: 1 breed: Terrier fifi: id: 2 breed: Poodle Then I can include fixtures :dogs in my functional test, and I''ll have access to a Hash of the model objects in the instance variable @dogs. And further, that the fixture records are "found" and loaded into instance var...

Hi guys, I''m having a little trouble understanding the differences and knowing when to use "def foo" and "def self.foo" in my models. I don''t quite understand them and was hoping someone could explain or give me examples on how to use the "self." properly. For example, I had "def foo" in my model "Account" and in one of

Hello list! Recently, there was a request to implement CTAP 2.1 resident credential management to Trezor, a hardware wallet which already supports FIDO2 authentication (full CTAP 2.0). My colleague Andrew[1] raised some points on GitHub and I'd like to check with you what are we missing or whether Andrew is right. Thank you for your help and understanding! Quoting from [1]: It really makes no sense to me why credential management is needed...

On Mon, 6 Jan 2025, Pavol Rusnak via openssh-unix-dev wrote: > Hello list! > > Recently, there was a request to implement CTAP 2.1 resident credential > management to Trezor, a hardware wallet which already supports FIDO2 > authentication (full CTAP 2.0). > > My colleague Andrew[1] raised some points on GitHub and I'd like to check > with you what are we missing or whether Andrew is right. > > Thank you for your help and understanding! > > Quoting from [1]: > > It really makes...

Stuart Henderson wrote: >> This is why I push for challenge/response tokens, not simply >> cert authentication, and really wish that FIDO (such as yubikey) >> was an option, but the discussions I've seen about suporting >> that have not been encouraging. > > hmm? That works pretty well in OpenSSH. hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the server, instead it looks like...

...u client and server) and it > > works. However, it does not do PIN enforcement at SSH login. It only > > requests the PIN during the set-up process (when the key is being > > generated). Is that the way it's supposed to work? > > Assuming you are using this device as a FIDO token (and not PKCS#11), > this is expected. OpenSSH doesn't yet support requiring PINs for keys > except for a couple of corner cases (e.g. resident keys). > > I hope to add this before OpenSSH 8.4. Somewhat related: touching the FIDO key to authorize the operation. The user is...

...ing from [1]: > > It really makes no sense to me why credential management is needed by > OpenSSH in the first place. In fact it doesn't even make sense to me why > resident credentials are needed by OpenSSH. Firstly, the private key file > `id_ed25519_sk` contains primarily the FIDO credential, which is nothing > secret and should logically be placed in `id_ed25519_sk.pub` which resides > on the remote server. This way FIDO authenticators wouldn't even need to > support resident credentials to function with OpenSSH. They don't need to support resident credent...

...tion manually. [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust" Leurent, G and Peyrin, T (2020) https://eprint.iacr.org/2020/014.pdf Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently public key authentication and sshsig signatures)....

...rted directly to openssh at openssh.com. Below is a summary of changes. More detail may be found in the ChangeLog in the portable OpenSSH tarballs. Thanks to the many people who contributed to this release. Security ======== * ssh-agent(1): restrict ssh-agent from signing web challenges for FIDO/U2F keys. When signing messages in ssh-agent using a FIDO key that has an application string that does not start with "ssh:", ensure that the message being signed is one of the forms expected for the SSH protocol (currently public key authentication and sshsig signatures)....

...the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). It needs to be installed in the expected path, typically under /usr/libexec or similar. Changes since OpenSSH 8.1 ========================= This release contains some significant n...

...the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). It needs to be installed in the expected path, typically under /usr/libexec or similar. Changes since OpenSSH 8.1 ========================= This release contains some significant n...

...the -O flag. * sshd(8): the sshd listener process title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. * ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F support to provide address-space isolation for token middleware libraries (including the internal one). It needs to be installed in the expected path, typically under /usr/libexec or similar. Changes since OpenSSH 8.1 ========================= This release contains some significant n...

...rks. However, it does not do PIN enforcement at SSH login. It only > > > > requests the PIN during the set-up process (when the key is being > > > > generated). Is that the way it's supposed to work? > > > > > > Assuming you are using this device as a FIDO token (and not PKCS#11), > > > this is expected. OpenSSH doesn't yet support requiring PINs for keys > > > except for a couple of corner cases (e.g. resident keys). > > > > > > I hope to add this before OpenSSH 8.4. > > > > Somewhat related: tou...

...ocess title visible to ps(1) has changed to include information about the number of connections that are currently attempting authentication and the limits configured by MaxStartups. Changes since OpenSSH 8.1 ========================= This release contains some significant new features. FIDO/U2F Support ---------------- This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types &qu...

https://bugzilla.mindrot.org/show_bug.cgi?id=3597 Bug ID: 3597 Summary: Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled? Product: Portable OpenSSH Version: -current Hardware: Other OS: Windows 10 Status: NEW Severity: trivial Priority: P5 Component: ssh-agent As...

...is only two factor if you trust that the password is not stored > along with the cert (which is on the untrusted client) You can tell sshd to require *both* password and public key. > This is why I push for challenge/response tokens, not simply > cert authentication, and really wish that FIDO (such as yubikey) > was an option, but the discussions I've seen about suporting > that have not been encouraging. hmm? That works pretty well in OpenSSH.

...und: We have DNS set up to return the domain''s address for all sub-domains. So, "dig xyz.cfcl.com" returns the same IP address as "dig cfcl.com". Our router forwards ranges of port numbers to specified machines. So, a request on port 1234 might go to "fido". We are using Apache''s VirtualHost facility to redirect (?) requests to certain machines, as: <VirtualHost *:80> ServerName xyz.cfcl.com ServerAdmin rdm-go8te9J4rpw@public.gmane.org ErrorLog /dev/null CustomLog /de...

...load_resident_keys: trying IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1 at 14000000/HS08 at 14300000/USB2.0 Hub at 14300000/AppleUSB20Hub at 14300000/AppleUSB20HubPort at 14340000/USB2.0 Hub at 14340000/AppleUSB20Hub at 14340000/AppleUSB20HubPort at 14343000/YubiKey OTP+FIDO+CCID at 14343000/IOUSBHostInterface at 1/IOUSBHostHIDDevice at 14343000,1 debug1: read_rks: get metadata for IOService:/AppleACPIPlatformExpert/PCI0 at 0/AppleACPIPCI/XHC1 at 14/XHC1 at 14000000/HS08 at 14300000/USB2.0 Hub at 14300000/AppleUSB20Hub at 14300000/AppleUSB20HubPort at 14340000/USB2.0 H...

I set up the YubiKey with OpenSSH 8.2 (Ubuntu client and server) and it works. However, it does not do PIN enforcement at SSH login. It only requests the PIN during the set-up process (when the key is being generated). Is that the way it's supposed to work? Frank

Hi David, > hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the > server, instead it looks like a public/private key that's unlocked with a touch, > possibly storing the private key on the hardware dongle (but it seems like > there's still a key you need to put on the client system) > > Quoting from the yubikey...