search for: libfido2

Hi, So I finally have time to test the u2f support but so far I haven't been very successful, Specifically, current HEAD has SSH_SK_VERSION_MAJOR 0x00040000 and I can't seem to find a matching libfido2 version, current HEAD of Yubico/libfido2 is 0x00020000 Is there a more up to date libfido2 or a particular commit of openssh-portable I should be using? thanks Sean

I updated to the latest versions of libfido2 and openssh-portable tonight, with an intention to test out the security key functionality and look closely at the changes over the last couple of months to see if I need to change anything in my AsyncSSH implementation to stay in sync. However, it seems that libfido2 no longer provides the ?libsk-...

...and NFC, we didn't want to burden OpenSSH with a bunch of dependencies. Instead we've delegated the task of communicating with the tokens to a small middleware library that is loaded in a manner similar to the existing PKCS#11 support. We've written a basic middleware for Yubico's libfido2 that is capable of talking to any standard USB HID U2F or FIDO2 token. The middleware source is hosted in the libfido2 tree, so building that and OpenSSH HEAD is sufficient to get started. Some quickstart instructions: 1. Build and install OpenSSH If you're using OpenBSD, then you can use a...

...key support is a substantial change and > it really needs testing ahead of the next release. Hi Damien, Thanks for working on security key support, this is a really nice feature to have in openssh. My non-FIDO2 security key (YubiKey NEO) doesn't work with the latest changes to openssh and libfido2, failing with `try_device: fido_dev_get_assert: FIDO_ERR_USER_PRESENCE_REQUIRED`. I'm not sure if this is a problem in libfido2 or sk-usbhid.c (I also reported this issue at https://github.com/Yubico/libfido2/issues/73). Is try_device incompatible with U2F keys? It seems to me to be trying to...

I was recently looking at verifying the attestation data (ssh-sk-attest-v00) for a SK key, but I believe the data saved in this structure is insufficient for completing verification of the attestation. While the structure has enough information for U2F devices, FIDO2 devices sign their attestation over a richer "authData" blob [1] (concatenated with the challenge hash). The authData blob

https://bugzilla.mindrot.org/show_bug.cgi?id=3188 Bug ID: 3188 Summary: Problems creating a second ecdsa-sk key for a second Yubikey Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh-keygen

...;sk-ecdsa-sha2-nistp256 at openssh.com" > > or "ecdsa-sk" for short (the "sk" stands for "security key"). > > An update on this: I've just committed internal support for U2F/FIDO2 > security keys to OpenSSH. If ./configure can find a compatible libfido2 > then it will be used automatically, with no additional configuration > required in OpenSSH tools. You should use libfido2 HEAD for now until > they make their next release. > > Practically, this means that you can just run "ssh-keygen -t ecdsa-sk" > and it will work w...

...elp expand the OpenSSH support for fido2 devices on Windows. Currently we are using your internal implementation(sk-usbhic.c) however since Windows 10 version 1903 this requires administrator privileges. I'm trying to create a module for OpenSSH to use webauthn.dll instead of direct calling to libfido2 to eliminate the need for administrator privileges I noticed that in ssh-sk.c in function sshsk_sign you hash the input data before passing it to external module sk_sign function. The problem is, Windows API automatically hash the input before sending it to fido device, so I need to receive the dat...

...o folding those parts in if appropriate? Joseph, to offer comment on NIST P-256. There was originally quite a limited subset of support in U2F, originally ES256 or RS256. There's since been more added (Ed25519 appears to be one of them at a cursory glance). If you take a look at param.h in the libfido2 repository you'll see the list of supported algorithm constants (COSE_*). From personal experience though I've had a few different brands of pure-u2f-only tokens and never seen support for anything other than P-256 in the wild. Yubicos U2F only keys for example are currently listed on their...

...cified by the SecurityKeyProvider directive in ssh/sshd_config(5). OpenSSH includes a middleware with support for USB tokens that is may be enabled in portable OpenSSH via the --with-security-key-builtin configure flag (it is enabled automatically in OpenBSD). This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. If the built-in middleware is enabled then it will be used by default. Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key type, but hardware support for Ed25519 "ed25519-sk" is le...

...nged, 72 insertions(+), 10 deletions(-) diff --git a/Makefile.in b/Makefile.in index 70287f51fb81..9bace646fecf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -53,6 +53,7 @@ CHANNELLIBS=@CHANNELLIBS@ K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ SSHDLIBS=@SSHDLIBS@ +AGENTLIBS=@AGENTLIBS@ LIBEDIT=@LIBEDIT@ LIBFIDO2=@LIBFIDO2@ AR=@AR@ @@ -216,7 +217,7 @@ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS) $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CHANNELLIBS) ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS) - $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbs...

...require a PIN prior to all operations that may retrieve a resident key from a FIDO token. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0 or greater. Older libraries have limited support at the expense of disabling particular features. These include resident keys, PIN- required keys and multiple attached tokens. * ssh-keygen(1): the format of the attestation information optionally recorded when a FIDO key is gener...

...require a PIN prior to all operations that may retrieve a resident key from a FIDO token. Potentially-incompatible changes ================================ This release includes a number of changes that may affect existing configurations: * For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0 or greater. Older libraries have limited support at the expense of disabling particular features. These include resident keys, PIN- required keys and multiple attached tokens. * ssh-keygen(1): the format of the attestation information optionally recorded when a FIDO key is gener...

https://bugzilla.mindrot.org/show_bug.cgi?id=3191 Bug ID: 3191 Summary: Issues when authorized_keys contains more than one ecdsa-sk public key Product: Portable OpenSSH Version: 8.3p1 Hardware: amd64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component:

...t;sk-ecdsa-sha2-nistp256 at openssh.com" >> or "ecdsa-sk" for short (the "sk" stands for "security key"). > > An update on this: I've just committed internal support for U2F/FIDO2 > security keys to OpenSSH. If ./configure can find a compatible libfido2 > then it will be used automatically, with no additional configuration > required in OpenSSH tools. You should use libfido2 HEAD for now until > they make their next release. > > Practically, this means that you can just run "ssh-keygen -t ecdsa-sk" > and it will work w...

...vider=internal") with support for USB tokens. It is automatically enabled in OpenBSD and may be enabled in portable OpenSSH via the configure flag --with-security-key-builtin. If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users. Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key t...

...vider=internal") with support for USB tokens. It is automatically enabled in OpenBSD and may be enabled in portable OpenSSH via the configure flag --with-security-key-builtin. If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users. Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key t...

...vider=internal") with support for USB tokens. It is automatically enabled in OpenBSD and may be enabled in portable OpenSSH via the configure flag --with-security-key-builtin. If the internal middleware is enabled then it is automatically used by default. This internal middleware requires that libfido2 (https://github.com/Yubico/libfido2) and its dependencies be installed. We recommend that packagers of portable OpenSSH enable the built-in middleware, as it provides the lowest-friction experience for users. Note: FIDO/U2F tokens are required to implement the ECDSA-P256 "ecdsa-sk" key t...

https://bugzilla.mindrot.org/show_bug.cgi?id=3480 Bug ID: 3480 Summary: tracking bug for openssh-9.1 Product: Portable OpenSSH Version: -current Hardware: Other OS: Linux Status: NEW Keywords: meta Severity: enhancement Priority: P5 Component: Miscellaneous Assignee:

...offer a poor default one (e.g. Solaris). * A number of shell portability fixes for the regression tests. * Fix theoretical infinite loop in the glob(3) replacement implementation. * Fix seccomp sandbox compilation problems for some Linux configurations bz#3085 * Improved detection of libfido2 and some compilation fixes for some configurations when --with-security-key-builtin is selected. Checksums: ========== - SHA1 (openssh-8.3.tar.gz) = 46c63b7ddbe46a0666222f7988c993866c31fcca - SHA256 (openssh-8.3.tar.gz) = M6CnZ+duGs4bzDio8hQNLwyLQChV+3wkUEO8HWLV35c= - SHA1 (/openssh-8.3p1....