I was thinking that it might be interesting to add FIDO [1] / WebAuthn [2] to sshd to enable users to login remotely using biometrics. (Note that WebAuthn is currently being implemented in Windows 10 and Google Android, so there will be a large number of clients that could support this natively.) Unfortunately, the challenge / response scheme used by those protocols doesn't fit well with PAM because PAM assumes that it is sending a relatively small password prompt and receiving a relatively small password back. But a quick read through sshd.c shows that maybe I could have my own #ifdef similar to USE_PAM to integrate FIDO / WebAuthn. My questions are: 1. Is that the right approach? 2. What are the guidelines around making a contribution like this and / or would you guys be interested in this contribution? 3. Anyone want to help? :) Thanks, Adam [1] https://fidoalliance.org/download/ [2] https://www.w3.org/TR/webauthn/ _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
