On 2018-04-27 08:20, Adam Powers wrote: > I was thinking that it might be interesting to add FIDO [1] / WebAuthn [2] > to sshd to enable users to login remotely using biometrics. (Note that > WebAuthn is currently being implemented in Windows 10 and Google Android, > so there will be a large number of clients that could support this > natively.) Unfortunately, the challenge / response scheme used by those > protocols doesn't fit well with PAM because PAM assumes that it is sending > a relatively small password prompt and receiving a relatively small > password back. > > But a quick read through sshd.c shows that maybe I could have my own #ifdef > similar to USE_PAM to integrate FIDO / WebAuthn. My questions are: There have already been proposed patches for U2F as a new standalone SSH authentication method: https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-December/033262.html Since clients will need to be updated *anyway* to support WebAuthn, I think a new auth method is more suitable than trying to hack it via password auth. -- Mantas Mikulėnas <grawity@xxxxxxxxx> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev