At this point it should be obvious, but let me state that I don’t have motivation/time to spend on this right now, given that upstream shows 0 interest in this at all :(. Hence, any help on this is welcome. On Sat, Dec 27, 2014 at 1:53 AM, Thomas Habets <thomas@xxxxxxxxx> wrote: > On 24 December 2014 at 18:57, Michael Stapelberg > <stapelberg+openssh@xxxxxxxxxx> wrote: > > In case you’re interested, please feel free to try the patch. I’m happy > for > > any feedback. All you need is libu2f-host installed and a clean copy of > > OpenSSH 6.7p1. Apply the attached patch, delete configure, use autoreconf > > -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH. > > Transferring my notes from the other thread: > > 1) PAM doesn't work (--with-pam, then UsePAM yes and > ChallengeResponseAuthentication yes) > Fix: detect loops in ssh2connect:userauth_u2f in some other way, such > as a dedicated variable in authctxt. (but also see point 5) > > 2) origin doesn't seem to be respected by YubiKeys (if I understand > the spec correctly) > Is AppID a better choice for this reason? > > 3) Include paths (probably bug in libu2f-host) > This is https://github.com/Yubico/libu2f-host/issues/13 that you filed. > > 4) What happened to 51? > MONITOR_REQ_TERM = 50, > + MONITOR_REQ_READUSERU2FKEY = 52, MONITOR_ANS_READUSERU2FKEY = 53, > > 5) Why does registration connect to the server anyway, if the server > doesn't keep state and origin is not tied to the server pubkey? > Indeed, without AuthenticationMethods registration returns the blob before > password prompt is shown. > Registration only makes sense if server writes the key handle to > ~/.ssh/authorized_keys, right? > Hmm, unless authorized_keys is signed by the server, the registration > process will never be "online" asyway, as U2F intends, so it may as > well be generated on the client and copy-pasted into the server's > authorized_keys. Enforced origin (but point 2) should prevent > accidentally pasting the same blob to multiple servers). > > Tested on: > Ubunty Trusty > OpenSSH 6.7p1 > Yubikey Security key > > > -- > typedef struct me_s { > char name[] = { "Thomas Habets" }; > char email[] = { "thomas@xxxxxxxxxxxx" }; > char kernel[] = { "Linux" }; > char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; > char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" }; > char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; > } me_t; > _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev