search for: key_handle

...> Firstly, would the following or some combination thereof be > > possible or is there an obvious impediment. Secondly, if it proved > > possible are the maintainers open to a patch providing it? > > > > 1. Update the SSH ecdsa-sk public key type to contain the > > key_handle and other relevant details (it doesn't contain sensitive > > information or accessible key material so this is safe to do) > > 2. Add a method to send a list of understood *-sk" publickeys from > > authorized_keys to the client > > I'm not keen on making the pu...

At present whenever non-resident keys are used the key_handle required to use the token must be given by selecting the ssh 'private key' file generated by ssh-keygen during negotiation. In the more common webauthn context this key_handle would be stored on the server and then transmitted to the client during authentication. The client then checks con...

...e ec_point Q string application uint64 serial uint32 type string key id string valid principals uint64 valid after uint64 valid before string critical options string extensions string reserved string signature key string signature string application uint8 flags string key_handle string reserved If the instant was to avoid duplicating what was already in the certificate, though, I?m not sure why ?application? is sent twice. It seems like that should have been left out along with the curve_id and Q value, appending only the flags, key_handle, and reserved values from the p...

...ng(&root_key_name, L"\\Registry\\Machine\\minimal"); + OBJECT_ATTRIBUTES root_key_obj; + InitializeObjectAttributes (&root_key_obj, &root_key_name, + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, + NULL, NULL); + HANDLE minimal_key_handle; + rc = ZwCreateKey (&minimal_key_handle, KEY_ALL_ACCESS, &root_key_obj, + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); + if (!NT_SUCCESS (rc)) { + printf("error: CreateKey <HKLM\\minimal>: 0x%08x\n", rc); + exit(1); + } + + UNICODE_STRING key_name =...

...gt; + UNICODE_STRING value_name = { val_len, val_len, val }; > + OBJECT_ATTRIBUTES key_obj; > + InitializeObjectAttributes (&key_obj, &key_name, > + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, > + *handle, NULL); > + HANDLE key_handle; > + NTSTATUS rc; > + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj, > + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); > + if (!NT_SUCCESS (rc)) { > + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc); > + exit(1); > + } >...

...= { key_len, key_len, key }; + UNICODE_STRING value_name = { val_len, val_len, val }; + OBJECT_ATTRIBUTES key_obj; + InitializeObjectAttributes (&key_obj, &key_name, + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, + *handle, NULL); + HANDLE key_handle; + NTSTATUS rc; + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj, + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); + if (!NT_SUCCESS (rc)) { + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc); + exit(1); + } + DWORD value = 0; + rc = ZwSetValueK...

...ue_name = { val_len, val_len, val }; > > + OBJECT_ATTRIBUTES key_obj; > > + InitializeObjectAttributes (&key_obj, &key_name, > > + OBJ_OPENIF | OBJ_CASE_INSENSITIVE, > > + *handle, NULL); > > + HANDLE key_handle; > > + NTSTATUS rc; > > + rc = ZwCreateKey (&key_handle, KEY_ALL_ACCESS, &key_obj, > > + 0, NULL, REG_OPTION_NON_VOLATILE, NULL); > > + if (!NT_SUCCESS (rc)) { > > + wprintf(L"error: CreateKey %s: 0x%08x\n", key, rc); > &gt...

...l message used > to add PKCS#11 keys to ssh-agent does not include any way to send the > key handle to the agent as U2F keys require. However, the extension described there has nothing to do with sending the key handle. In fact, all of the necessary fields (public key, application, flags, and key_handle) are all already encoded in the private key blob (and appended to the certificate blob when certificates are being imported). The extension only communicates the path to the middleware library to use, not the additional key information such as the key handle. If you had ssh-agent pick up the locat...

...ecifically, that doc says: > In addition to the message to be signed, the U2F signature operation > requires a few additional parameters: > > byte control bits (e.g. "user presence required" flag) > byte[32] SHA256(message) > byte[32] SHA256(application) > byte key_handle length > byte[] key_handle This isn?t really the format that these parameters are provided during a signing operation, though, at least not to the middleware library documented later in the doc. You may just want to leave this part of the description out, or at least sync it up a bit better w...

On Windows, there exist at least two APIs for dealing with the Registry: The Win32 API (RegCreateKeyA, RegCreateKeyW, etc.) works with null-terminated ASCII or UTF-16 strings. The native API (ZwCreateKey, etc.), on the other hand works with UTF-16 strings that are stored as buffers+length and may contain null characters. Malware authors have been relying on the Win32 API's inability to

Hi, As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" or "ecdsa-sk" for short (the "sk" stands for "security key"). If you're not familiar with U2F, this is an open standard for making inexpensive hardware security tokens. These are easily the cheapest way

I was recently looking at verifying the attestation data (ssh-sk-attest-v00) for a SK key, but I believe the data saved in this structure is insufficient for completing verification of the attestation. While the structure has enough information for U2F devices, FIDO2 devices sign their attestation over a richer "authData" blob [1] (concatenated with the challenge hash). The authData blob