search for: sk_enrol

...SSH implementation to stay in sync. However, it seems that libfido2 no longer provides the ?libsk-libfido2.so? library that it used to. That was something I was counting on being able to link against in AsyncSSH, so I didn?t have to directly call into libfido2 and could instead use the much simpler sk_enroll/sk_sign API that libsk provided. After looking around a bit, I saw a comment in the libfido2 repo about the libsk functionality moving into OpenSSH itself, but I don?t see any way to build that as a library any more. In fact, the only implementation I can find now is the one in sk-usbhid.c which...

...ration property. CTAP 2.1 has a Credential Protection feature which allows a newly created credential to be mandatorily protected by the authenticator through some form of user verification, e.g. PIN entry. This is requested by ssh-keygen when generating a key with the verify-required option, see sk_enroll() in sk-usbhid.c. -- Christian "naddy" Weisgerber naddy at mips.inka.de

Hi, Sometimes, users might find that the `ssh-sk-helper` crashes after enrolling a new key when using external SK libraries. Currently, the memory returned by SK APIs is freed by the host, but external libraries may have their own methods of handling memory. For instance some external libraries are linked against a foreign libc statically. As a result, the `ssh-sk-helper` would have issues if

I was recently looking at verifying the attestation data (ssh-sk-attest-v00) for a SK key, but I believe the data saved in this structure is insufficient for completing verification of the attestation. While the structure has enough information for U2F devices, FIDO2 devices sign their attestation over a richer "authData" blob [1] (concatenated with the challenge hash). The authData blob

...byte string value that is later converted to integers and then encoded as a pair of MPInts. I suspect the hardware might be returning (r, s) as DER encoded in some cases and that the middleware library is hiding that, but either way the text above isn?t quite right. Later, in the description of the sk_enroll() call, you show a ?challenge? argument, but it?s not clear how that?s used. Are you doing anything with that today? I tried looking in various online docs about U2F/FIDO to see if it was described there, but I couldn?t really find anything that matched up with that. Most of what I found was much...

Hi, Based on my understanding of the FIDO protocol, user verification is independently requested during key creation and verification via server (i.e.relying party in FIDO/WebAuthN terminology) side flags, i.e. "user verification required" is not a per-key/credential, but rather a per-operation property. However, the `ssk-keygen` manpage states that: > verify-required >

Hi, As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com" or "ecdsa-sk" for short (the "sk" stands for "security key"). If you're not familiar with U2F, this is an open standard for making inexpensive hardware security tokens. These are easily the cheapest way