Re: Adding FIDO / WebAuthn to sshd

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 2018-04-27 08:20, Adam Powers wrote:
> I was thinking that it might be interesting to add FIDO [1] / WebAuthn [2]
> to sshd to enable users to login remotely using biometrics. (Note that
> WebAuthn is currently being implemented in Windows 10 and Google Android,
> so there will be a large number of clients that could support this
> natively.) Unfortunately, the challenge / response scheme used by those
> protocols doesn't fit well with PAM because PAM assumes that it is sending
> a relatively small password prompt and receiving a relatively small
> password back.
> 
> But a quick read through sshd.c shows that maybe I could have my own #ifdef
> similar to USE_PAM to integrate FIDO / WebAuthn. My questions are:


There have already been proposed patches for U2F as a new standalone SSH
authentication method:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-December/033262.html

Since clients will need to be updated *anyway* to support WebAuthn, I
think a new auth method is more suitable than trying to hack it via
password auth.

-- 
Mantas Mikulėnas <grawity@xxxxxxxxx>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux