On 24 December 2014 at 18:57, Michael Stapelberg <stapelberg+openssh@xxxxxxxxxx> wrote: > In case you’re interested, please feel free to try the patch. I’m happy for > any feedback. All you need is libu2f-host installed and a clean copy of > OpenSSH 6.7p1. Apply the attached patch, delete configure, use autoreconf > -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH. Transferring my notes from the other thread: 1) PAM doesn't work (--with-pam, then UsePAM yes and ChallengeResponseAuthentication yes) Fix: detect loops in ssh2connect:userauth_u2f in some other way, such as a dedicated variable in authctxt. (but also see point 5) 2) origin doesn't seem to be respected by YubiKeys (if I understand the spec correctly) Is AppID a better choice for this reason? 3) Include paths (probably bug in libu2f-host) This is https://github.com/Yubico/libu2f-host/issues/13 that you filed. 4) What happened to 51? MONITOR_REQ_TERM = 50, + MONITOR_REQ_READUSERU2FKEY = 52, MONITOR_ANS_READUSERU2FKEY = 53, 5) Why does registration connect to the server anyway, if the server doesn't keep state and origin is not tied to the server pubkey? Indeed, without AuthenticationMethods registration returns the blob before password prompt is shown. Registration only makes sense if server writes the key handle to ~/.ssh/authorized_keys, right? Hmm, unless authorized_keys is signed by the server, the registration process will never be "online" asyway, as U2F intends, so it may as well be generated on the client and copy-pasted into the server's authorized_keys. Enforced origin (but point 2) should prevent accidentally pasting the same blob to multiple servers). Tested on: Ubunty Trusty OpenSSH 6.7p1 Yubikey Security key -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas@xxxxxxxxxxxx" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t; _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev