search for: fido2

Displaying 20 results from an estimated 29 matches for "fido2".

Did you mean: fido
2020 Sep 04
3
Incomplete attestation data for FIDO2 SKs?
I was recently looking at verifying the attestation data (ssh-sk-attest-v00) for a SK key, but I believe the data saved in this structure is insufficient for completing verification of the attestation. While the structure has enough information for U2F devices, FIDO2 devices sign their attestation over a richer "authData" blob [1] (concatenated with the challenge hash). The authData blob contains data not derivable from the public/private key, such as a signature counter and the device's AAGUID. As I understand it, the attestation structure should...
2020 Feb 22
0
LDAP Account Manager 7.1.RC1 with Webauthn/FIDO2 and AD LDS support
Announcement: ------------- The 2-factor authentication was extended with Webauthn/FIDO2. You can manage AD LDS users and groups (LAM Pro). This is a test release. Please report any issues till 2020-03-06. Full changelog: https://www.ldap-account-manager.org/lamcms/changelog Download: https://www.ldap-account-manager.org/lamcms/releases Features: --------- * management of vario...
2020 Mar 17
0
LDAP Account Manager 7.1 with Webauthn/FIDO2 and AD LDS support
Announcement: ------------- The 2-factor authentication was extended with Webauthn/FIDO2. You can manage AD LDS users and groups (LAM Pro). Full changelog: https://www.ldap-account-manager.org/lamcms/changelog Download: https://www.ldap-account-manager.org/lamcms/releases Features: --------- * management of various account types * Unix * Samba 4/Active Directory * Asterisk *...
2019 Dec 31
2
u2f seed
...it gives a different key pair. (Randomly seeming). A differently generated key pair is not valid with the first's public key. All good so far, but you run into a problem if: You generate a keypair (A). You register your public key for (A) on a bunch of ssh servers. You take your fido2 key to a second client machine and try and login to your servers. It kind of defeats the purpose of being able to have a portable keyfob. If there was a way to seed the generation phase manually, then the same seed can be used on each client machine so that the ssh pub/private key doesn't hav...
2023 May 14
18
[Bug 3572] New: ssh-agent refused operation when using FIDO2 with -O verify-required
https://bugzilla.mindrot.org/show_bug.cgi?id=3572 Bug ID: 3572 Summary: ssh-agent refused operation when using FIDO2 with -O verify-required Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh-agent Assignee: unassigned-bugs a...
2023 Dec 17
0
How to set/specify an SK Device (Path) in ssh_config?
Hey *, I have more then one {Security Key,HSM}-FIDO2 device attached to my Linux machine (Arch Linux). With ``` # fido2-token -L /dev/hidraw7: vendor=0x1d50, product=0x60fc (CRYPTOTRUST ONLYKEY) /dev/hidraw5: vendor=0x20a0, product=0x42b2 (Nitrokey Nitrokey 3) ``` I am able to get the device paths of both SK, which I can use to generate an `ecdsa-sk...
2020 Mar 05
3
Fwd: sk-api suggestions
Hello, I'm helping the Git for windows team and contributing in git-for-windows repository to help expand the OpenSSH support for fido2 devices on Windows. Currently we are using your internal implementation(sk-usbhic.c) however since Windows 10 version 1903 this requires administrator privileges. I'm trying to create a module for OpenSSH to use webauthn.dll instead of direct calling to libfido2 to eliminate the need for admin...
2020 Jul 26
2
Automatic FIDO2 key negotiation (request for comments)
On Tue, 2020-07-21 at 14:47 +1000, Damien Miller wrote: > On Mon, 20 Jul 2020, Jordan J wrote: [...] > > Firstly, would the following or some combination thereof be > > possible or is there an obvious impediment. Secondly, if it proved > > possible are the maintainers open to a patch providing it? > > > > 1. Update the SSH ecdsa-sk public key type to contain the
2020 Jul 20
3
Automatic FIDO2 key negotiation (request for comments)
At present whenever non-resident keys are used the key_handle required to use the token must be given by selecting the ssh 'private key' file generated by ssh-keygen during negotiation. In the more common webauthn context this key_handle would be stored on the server and then transmitted to the client during authentication. The client then checks connected tokens for one that reports it
2019 Dec 07
2
Agent protocol changes related to U2F/FIDO2 keys
I spent some time today implementing support for loading U2F keys into the SSH agent from my AsyncSSH library. I got it working, but along the way I ran into a few issues I wanted to report: First, it looks like the value of SSH_AGENT_CONSTRAIN_EXTENSION has changed from the value 3 defined at https://tools.ietf.org/html/draft-miller-ssh-agent-02
2019 Nov 15
2
U2F support in OpenSSH HEAD
...l U2F/FIDO support, with > > U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" > > or "ecdsa-sk" for short (the "sk" stands for "security key"). > > An update on this: I've just committed internal support for U2F/FIDO2 > security keys to OpenSSH. If ./configure can find a compatible libfido2 > then it will be used automatically, with no additional configuration > required in OpenSSH tools. You should use libfido2 HEAD for now until > they make their next release. > > Practically, this means tha...
2020 Feb 06
2
Building libsk-libfido2.so?
I updated to the latest versions of libfido2 and openssh-portable tonight, with an intention to test out the security key functionality and look closely at the changes over the last couple of months to see if I need to change anything in my AsyncSSH implementation to stay in sync. However, it seems that libfido2 no longer provides the ?libsk-...
2019 Nov 01
10
U2F support in OpenSSH HEAD
...d NFC, we didn't want to burden OpenSSH with a bunch of dependencies. Instead we've delegated the task of communicating with the tokens to a small middleware library that is loaded in a manner similar to the existing PKCS#11 support. We've written a basic middleware for Yubico's libfido2 that is capable of talking to any standard USB HID U2F or FIDO2 token. The middleware source is hosted in the libfido2 tree, so building that and OpenSSH HEAD is sufficient to get started. Some quickstart instructions: 1. Build and install OpenSSH If you're using OpenBSD, then you can use a...
2020 Jan 02
4
u2f seed
...omly seeming). > > A differently generated key pair is not valid with the first's public key. > > All good so far, but you run into a problem if: > > You generate a keypair (A). > You register your public key for (A) on a bunch of ssh servers. > You take your fido2 key to a second client machine and try and login to your servers. > > It kind of defeats the purpose of being able to have a portable > keyfob. It's possible to use the key on another machine if copy the private key you generated on the original machine over. U2F is almost completely...
2020 Jan 03
2
u2f seed
On Fri, 3 Jan 2020, Christian Weisgerber wrote: > David Lang: > >> not supporting authentication from multiple machines seems to defeat the >> purpose of adding u2f support. > > It works just like other SSH key types. You have a private SSH key > and a public one, and you can copy the private key to multiple > machines or load it into ssh-agent and use agent
2020 Jun 26
14
[Bug 3188] New: Problems creating a second ecdsa-sk key for a second Yubikey
https://bugzilla.mindrot.org/show_bug.cgi?id=3188 Bug ID: 3188 Summary: Problems creating a second ecdsa-sk key for a second Yubikey Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen
2019 Nov 15
2
U2F support in OpenSSH HEAD
..., Damien Miller <djm at mindrot.org> wrote: > Please give this a try - security key support is a substantial change and > it really needs testing ahead of the next release. Hi Damien, Thanks for working on security key support, this is a really nice feature to have in openssh. My non-FIDO2 security key (YubiKey NEO) doesn't work with the latest changes to openssh and libfido2, failing with `try_device: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED`. I'm not sure if this is a problem in libfido2 or sk-usbhid.c (I also reported this issue at https://github.com/Yubico/lib...
2023 Sep 01
1
XMSS
Hey there, I know XMSS support has been experimental for quite some time. Is there any push to change the status? Just curious more than anything else. Chris
2019 Dec 03
2
U2F support in OpenSSH HEAD
...tal U2F/FIDO support, with >> U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" >> or "ecdsa-sk" for short (the "sk" stands for "security key"). > > An update on this: I've just committed internal support for U2F/FIDO2 > security keys to OpenSSH. If ./configure can find a compatible libfido2 > then it will be used automatically, with no additional configuration > required in OpenSSH tools. You should use libfido2 HEAD for now until > they make their next release. > > Practically, this means tha...
2020 Feb 14
2
Announce: OpenSSH 8.2 released
...er=internal") with support for USB tokens. It is automatically enabled in OpenBSD and may be enabled in portable OpenSSH via the configure flag --with-security-key-builtin. If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users. Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key t...