Re: [PATCH] U2F support in OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



At this point it should be obvious, but let me state that I don’t have
motivation/time to spend on this right now, given that upstream shows 0
interest in this at all :(.

Hence, any help on this is welcome.

On Sat, Dec 27, 2014 at 1:53 AM, Thomas Habets <thomas@xxxxxxxxx> wrote:

> On 24 December 2014 at 18:57, Michael Stapelberg
> <stapelberg+openssh@xxxxxxxxxx> wrote:
> > In case you’re interested, please feel free to try the patch. I’m happy
> for
> > any feedback. All you need is libu2f-host installed and a clean copy of
> > OpenSSH 6.7p1. Apply the attached patch, delete configure, use autoreconf
> > -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH.
>
> Transferring my notes from the other thread:
>
> 1) PAM doesn't work (--with-pam, then UsePAM yes and
> ChallengeResponseAuthentication yes)
> Fix: detect loops in ssh2connect:userauth_u2f in some other way, such
> as a dedicated variable in authctxt. (but also see point 5)
>
> 2) origin doesn't seem to be respected by YubiKeys (if I understand
> the spec correctly)
> Is AppID a better choice for this reason?
>
> 3) Include paths (probably bug in libu2f-host)
> This is https://github.com/Yubico/libu2f-host/issues/13 that you filed.
>
> 4) What happened to 51?
>         MONITOR_REQ_TERM = 50,
> +       MONITOR_REQ_READUSERU2FKEY = 52, MONITOR_ANS_READUSERU2FKEY = 53,
>
> 5) Why does registration connect to the server anyway, if the server
> doesn't keep state and origin is not tied to the server pubkey?
> Indeed, without AuthenticationMethods registration returns the blob before
> password prompt is shown.
> Registration only makes sense if server writes the key handle to
> ~/.ssh/authorized_keys, right?
> Hmm, unless authorized_keys is signed by the server, the registration
> process will never be "online" asyway, as U2F intends, so it may as
> well be generated on the client and copy-pasted into the server's
> authorized_keys. Enforced origin (but point 2) should prevent
> accidentally pasting the same blob to multiple servers).
>
> Tested on:
> Ubunty Trusty
> OpenSSH 6.7p1
> Yubikey Security key
>
>
> --
> typedef struct me_s {
>  char name[]      = { "Thomas Habets" };
>  char email[]     = { "thomas@xxxxxxxxxxxx" };
>  char kernel[]    = { "Linux" };
>  char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt"; };
>  char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
>  char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
> } me_t;
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev





[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux