search for: fido2

I was recently looking at verifying the attestation data (ssh-sk-attest-v00) for a SK key, but I believe the data saved in this structure is insufficient for completing verification of the attestation. While the structure has enough information for U2F devices, FIDO2 devices sign their attestation over a richer "authData" blob [1] (concatenated with the challenge hash). The authData blob contains data not derivable from the public/private key, such as a signature counter and the device's AAGUID. As I understand it, the attestation structure should...

Announcement: ------------- The 2-factor authentication was extended with Webauthn/FIDO2. You can manage AD LDS users and groups (LAM Pro). This is a test release. Please report any issues till 2020-03-06. Full changelog: https://www.ldap-account-manager.org/lamcms/changelog Download: https://www.ldap-account-manager.org/lamcms/releases Features: --------- * management of vario...

Announcement: ------------- The 2-factor authentication was extended with Webauthn/FIDO2. You can manage AD LDS users and groups (LAM Pro). Full changelog: https://www.ldap-account-manager.org/lamcms/changelog Download: https://www.ldap-account-manager.org/lamcms/releases Features: --------- * management of various account types * Unix * Samba 4/Active Directory * Asterisk *...

...it gives a different key pair. (Randomly seeming). A differently generated key pair is not valid with the first's public key. All good so far, but you run into a problem if: You generate a keypair (A). You register your public key for (A) on a bunch of ssh servers. You take your fido2 key to a second client machine and try and login to your servers. It kind of defeats the purpose of being able to have a portable keyfob. If there was a way to seed the generation phase manually, then the same seed can be used on each client machine so that the ssh pub/private key doesn't hav...

https://bugzilla.mindrot.org/show_bug.cgi?id=3572 Bug ID: 3572 Summary: ssh-agent refused operation when using FIDO2 with -O verify-required Product: Portable OpenSSH Version: 9.3p1 Hardware: Other OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh-agent Assignee: unassigned-bugs a...

Hey *, I have more then one {Security Key,HSM}-FIDO2 device attached to my Linux machine (Arch Linux). With ``` # fido2-token -L /dev/hidraw7: vendor=0x1d50, product=0x60fc (CRYPTOTRUST ONLYKEY) /dev/hidraw5: vendor=0x20a0, product=0x42b2 (Nitrokey Nitrokey 3) ``` I am able to get the device paths of both SK, which I can use to generate an `ecdsa-sk...

Hello, I'm helping the Git for windows team and contributing in git-for-windows repository to help expand the OpenSSH support for fido2 devices on Windows. Currently we are using your internal implementation(sk-usbhic.c) however since Windows 10 version 1903 this requires administrator privileges. I'm trying to create a module for OpenSSH to use webauthn.dll instead of direct calling to libfido2 to eliminate the need for admin...

On Tue, 2020-07-21 at 14:47 +1000, Damien Miller wrote: > On Mon, 20 Jul 2020, Jordan J wrote: [...] > > Firstly, would the following or some combination thereof be > > possible or is there an obvious impediment. Secondly, if it proved > > possible are the maintainers open to a patch providing it? > > > > 1. Update the SSH ecdsa-sk public key type to contain the

At present whenever non-resident keys are used the key_handle required to use the token must be given by selecting the ssh 'private key' file generated by ssh-keygen during negotiation. In the more common webauthn context this key_handle would be stored on the server and then transmitted to the client during authentication. The client then checks connected tokens for one that reports it

I spent some time today implementing support for loading U2F keys into the SSH agent from my AsyncSSH library. I got it working, but along the way I ran into a few issues I wanted to report: First, it looks like the value of SSH_AGENT_CONSTRAIN_EXTENSION has changed from the value 3 defined at https://tools.ietf.org/html/draft-miller-ssh-agent-02

...l U2F/FIDO support, with > > U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" > > or "ecdsa-sk" for short (the "sk" stands for "security key"). > > An update on this: I've just committed internal support for U2F/FIDO2 > security keys to OpenSSH. If ./configure can find a compatible libfido2 > then it will be used automatically, with no additional configuration > required in OpenSSH tools. You should use libfido2 HEAD for now until > they make their next release. > > Practically, this means tha...

I updated to the latest versions of libfido2 and openssh-portable tonight, with an intention to test out the security key functionality and look closely at the changes over the last couple of months to see if I need to change anything in my AsyncSSH implementation to stay in sync. However, it seems that libfido2 no longer provides the ?libsk-...

...d NFC, we didn't want to burden OpenSSH with a bunch of dependencies. Instead we've delegated the task of communicating with the tokens to a small middleware library that is loaded in a manner similar to the existing PKCS#11 support. We've written a basic middleware for Yubico's libfido2 that is capable of talking to any standard USB HID U2F or FIDO2 token. The middleware source is hosted in the libfido2 tree, so building that and OpenSSH HEAD is sufficient to get started. Some quickstart instructions: 1. Build and install OpenSSH If you're using OpenBSD, then you can use a...

...omly seeming). > > A differently generated key pair is not valid with the first's public key. > > All good so far, but you run into a problem if: > > You generate a keypair (A). > You register your public key for (A) on a bunch of ssh servers. > You take your fido2 key to a second client machine and try and login to your servers. > > It kind of defeats the purpose of being able to have a portable > keyfob. It's possible to use the key on another machine if copy the private key you generated on the original machine over. U2F is almost completely...

On Fri, 3 Jan 2020, Christian Weisgerber wrote: > David Lang: > >> not supporting authentication from multiple machines seems to defeat the >> purpose of adding u2f support. > > It works just like other SSH key types. You have a private SSH key > and a public one, and you can copy the private key to multiple > machines or load it into ssh-agent and use agent

https://bugzilla.mindrot.org/show_bug.cgi?id=3188 Bug ID: 3188 Summary: Problems creating a second ecdsa-sk key for a second Yubikey Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen

..., Damien Miller <djm at mindrot.org> wrote: > Please give this a try - security key support is a substantial change and > it really needs testing ahead of the next release. Hi Damien, Thanks for working on security key support, this is a really nice feature to have in openssh. My non-FIDO2 security key (YubiKey NEO) doesn't work with the latest changes to openssh and libfido2, failing with `try_device: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED`. I'm not sure if this is a problem in libfido2 or sk-usbhid.c (I also reported this issue at https://github.com/Yubico/lib...

Hey there, I know XMSS support has been experimental for quite some time. Is there any push to change the status? Just curious more than anything else. Chris

...tal U2F/FIDO support, with >> U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" >> or "ecdsa-sk" for short (the "sk" stands for "security key"). > > An update on this: I've just committed internal support for U2F/FIDO2 > security keys to OpenSSH. If ./configure can find a compatible libfido2 > then it will be used automatically, with no additional configuration > required in OpenSSH tools. You should use libfido2 HEAD for now until > they make their next release. > > Practically, this means tha...

...er=internal") with support for USB tokens. It is automatically enabled in OpenBSD and may be enabled in portable OpenSSH via the configure flag --with-security-key-builtin. If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users. Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key t...