>From my understanding, somehow a website talking through the web browser is able to get the same keypair used no matter which computer the keyfob is plugged into. I'm wondering if we can use the same mechanism there. If application is part of the process, maybe allowing the application to be specified by the user rather then being randomly generated by openssh would be enough? Thanks, Kevin ________________________________________ From: Damien Miller <djm@xxxxxxxxxxx> Sent: Thursday, January 2, 2020 2:36 PM To: Fox, Kevin M Cc: openssh-unix-dev@xxxxxxxxxxx Subject: Re: u2f seed On Thu, 2 Jan 2020, Fox, Kevin M wrote: > In the u2f protocol, my understanding is in the normal case, the web > browser seeds the keypair process with the hostname of the remote > server. In the case of ssh, the hostname is probably not what I would > want to do. But the u2f protocol seems to have a way to handle this. > It just needs to be exposed to the user. The content of the private > keyfile in ssh is generated somehow. Where is that done? The key generation is done solely by the token. There are several strings (challenge, application) that OpenSSH sends to the token that are inputs the the process, but I'd expect most tokens would have onboard CSPRNGs that they use the actually generate the keys. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev