search for: userauth_u2f

Hey, Judging from the (private) responses I?ve got, there is quite a bit of interest in the U2F feature I proposed a while ago. Therefore, I?ve taken some time to resolve the remaining issues, and I think the resulting patch (attached to this email) is in quite a good state now. I also posted the new version of the patch to https://bugzilla.mindrot.org/show_bug.cgi?id=2319 (which I?ve opened

...enough to get the discussion going :). Please see the two attached files for the patch. Due to their size, I?ve not posted them in-line. The way it currently (!) works: 1) Use ?AuthenticationMethods publickey,u2f? in sshd_config (or <whatever>,u2f) 2) Recompile SSH with the patch and change userauth_u2f() to use packet_put_int(0) (== registration) instead of packet_put_int(1) (== authentication). Sorry about that. See my question below. 3) You need to do this step only once: ssh into your server, touch your security key when prompted, and you?ll see a ssh-u2f key line, which you should copy&pa...

...se autoreconf > > -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH. > > Transferring my notes from the other thread: > > 1) PAM doesn't work (--with-pam, then UsePAM yes and > ChallengeResponseAuthentication yes) > Fix: detect loops in ssh2connect:userauth_u2f in some other way, such > as a dedicated variable in authctxt. (but also see point 5) > > 2) origin doesn't seem to be respected by YubiKeys (if I understand > the spec correctly) > Is AppID a better choice for this reason? > > 3) Include paths (probably bug in libu2f-host)...

...enough to get the discussion going :). Please see the two attached files for the patch. Due to their size, I?ve not posted them in-line. The way it currently (!) works: 1) Use ?AuthenticationMethods publickey,u2f? in sshd_config (or <whatever>,u2f) 2) Recompile SSH with the patch and change userauth_u2f() to use packet_put_int(0) (== registration) instead of packet_put_int(1) (== authentication). Sorry about that. See my question below. 3) You need to do this step only once: ssh into your server, touch your security key when prompted, and you?ll see a ssh-u2f key line, which you should copy&pa...