search for: securitykeyprovider

...ulation is that the FIDO token that the key belongs to must be attached when the key is used. FIDO tokens are most commonly connected via USB but may be attached via other means such as Bluetooth or NFC. In OpenSSH, communication with the token is managed via a middleware library, specified by the SecurityKeyProvider directive in ssh/sshd_config(5). OpenSSH includes a middleware with support for USB tokens that is may be enabled in portable OpenSSH via the --with-security-key-builtin configure flag (it is enabled automatically in OpenBSD). This internal middleware requires that libfido2 (https://github.com/Yubi...

...ulation is that the FIDO token that the key belongs to must be attached when the key is used. FIDO tokens are most commonly connected via USB but may be attached via other means such as Bluetooth or NFC. In OpenSSH, communication with the token is managed via a middleware library, specified by the SecurityKeyProvider directive in ssh/sshd_config(5) or the $SSH_SK_PROVIDER environment variable for ssh-keygen(1) and ssh-add(1). The API for this middleware is documented in the sk-api.h and PROTOCOL.u2f files in the source distribution. OpenSSH includes a middleware ("SecurityKeyProvider=internal") with...

...ulation is that the FIDO token that the key belongs to must be attached when the key is used. FIDO tokens are most commonly connected via USB but may be attached via other means such as Bluetooth or NFC. In OpenSSH, communication with the token is managed via a middleware library, specified by the SecurityKeyProvider directive in ssh/sshd_config(5) or the $SSH_SK_PROVIDER environment variable for ssh-keygen(1) and ssh-add(1). The API for this middleware is documented in the sk-api.h and PROTOCOL.u2f files in the source distribution. OpenSSH includes a middleware ("SecurityKeyProvider=internal") with...

...ulation is that the FIDO token that the key belongs to must be attached when the key is used. FIDO tokens are most commonly connected via USB but may be attached via other means such as Bluetooth or NFC. In OpenSSH, communication with the token is managed via a middleware library, specified by the SecurityKeyProvider directive in ssh/sshd_config(5) or the $SSH_SK_PROVIDER environment variable for ssh-keygen(1) and ssh-add(1). The API for this middleware is documented in the sk-api.h and PROTOCOL.u2f files in the source distribution. OpenSSH includes a middleware ("SecurityKeyProvider=internal") with...

...ore work will be needed on the OpenSSH side for to get Windows going). 3. Generate a key. The OpenSSH tools use the $SSH_SK_PROVIDER environment variable to point to the middleware, though all tools that support security keys accept dedicated command-line or configuration options (e.g. ssh_config SecurityKeyProvider). This provider needs to be available for key generation and signing (e.g. pubkey authentication) operations. $ SSH_SK_PROVIDER=/path/to/libsk-libfido2.so $ export SSH_SK_PROVIDER $ ssh-keygen -t ecdsa-sk You will typically need to tap your token to confirm the keygen operation, but once complete...

Hi, sifting through my system's logs, I noticed many break-in attempts by rogue ssh clients trying long lists of common passwords. For some time now I pondered different approaches to counter these, but could not come up with a solution that really satisfied me. I finally reached the conclusion that any countermeasures required support in sshd itself, and created the attached patch. If

...mpting on devices that implement on-device authentication. * sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option. * ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty. * ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. bz#3119 * ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057. Portabil...

...mpting on devices that implement on-device authentication. * sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option should be an extension, not a critical option. * ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message when trying to use a FIDO key function and SecurityKeyProvider is empty. * ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within the values allowed by the wire format (u32). Prevents integer wraparound of the timeout values. bz#3119 * ssh(1): detect and prevent trivial configuration loops when using ProxyJump. bz#3057. Portabil...