search for: solokey

That sounds like the application param is still used as part of the process though? Would allowing the user to specify the application work in the Solokey case? What is stored in the private keyfile? The documentation says no private key is stored there. So is it just information used to reseed the public/private key? Thanks, Kevin ________________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov at mi...

In the u2f protocol, my understanding is in the normal case, the web browser seeds the keypair process with the hostname of the remote server. In the case of ssh, the hostname is probably not what I would want to do. But the u2f protocol seems to have a way to handle this. It just needs to be exposed to the user. The content of the private keyfile in ssh is generated somehow. Where is that done?

...20 5:01 AM To: openssh-unix-dev at mindrot.org Subject: Re: u2f seed On 2020-01-02, "Fox, Kevin M" <Kevin.Fox at pnnl.gov> wrote: > That sounds like the application param is still used as part of the process though? Would allowing the user to specify the application work in the Solokey case? Let's cut this short without losing ourselves in details: Even if you resend exactly the same U2F registration message, the token may still create a different key pair. Only a very minimal U2F token without an on-board RNG might derive the key pair purely from the parameters in the regi...

...red active, the process or restoring the key on another computer or using the key without downloading will result in always requiring touch because the flag is not properly restored. This incorrect behavior is consistent for ed25519_sk and ecdsa-sk keys. I have tested and replicated the issue with SoloKey or Yubikey hardware tokens. After looking at the openssh code it seems that the flag below is never properly used when reading or restoring a key from hardware tokens: sk-api.h #define SSH_SK_USER_PRESENCE_REQD 0x01 Here is lists of steps to fully reproduce the issue: Step 1. Generate a...