New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for FIDO2 pubkey auth for SSH server #12001
Comments
(At some point it would be nice to do the ctap2 client work on this too…) |
well... one step at a time. I got a draft PR for the server-side implementation... just a weekend hacking session. but I would like to have a coding buddy / review partner to continue working on this. I expect that many people using conch ssh client are using it for non-human / automated processes ... so the FIDO2 is not that important / relevant. @glyph do you have an use case for client-side SSH with FIDO2 and Twisted, are you aware of any human interacting client-side SSH app using Twisted For server-side, I think that Launchpad is/was using Twisted concn for some SFTP /SSH handling for PPA. |
Many years ago, https://www.expandrive.com was based on Conch. I think have long since rewritten it, but there are lots of possible interactive applications like that which might want to speak SSH or SFTP. Personally though, I just want to use less software written in C, so I use the |
While I don't currently have time to help with this, I agree that Launchpad would definitely be able to make good use of server-side support here (at least once we get off Python 3.5 and so can upgrade Twisted again, which is nearly done ...). |
Maybe just make sure any interested colleagues are aware that this work is underway, just in case anyone has a free moment 😄 |
Done! |
This is to implement the userauth server-side of https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f
The security key (sk-) implementation is for now only OpenSSH specific.
The GitHub.com server (SSH-2.0-babeld-70f1bac9 but maybe OpenSSH in the backend) also supports it.
For the scope of this ticket, my plan is to have support only for:
This means:
Certificates are out of scope.
WebAuthN is out of scope.
In the past, getting yubikey to work with SSH was a pain via PGP or SmartCard
With this, OpenSSH has direct access to the fido2 keys.
The text was updated successfully, but these errors were encountered: