On Thu, 2 Jan 2020, James Bottomley wrote: > To get this to work with ssh, you need something that corresponds to > the data that is stored on registration. My understanding of the way > ssh works is that we don't really have that ... the server expects you > to sign a challenge which it then compares with your remote public > key. There's nothing the remote server initially passes back to the > local that would allow the U2F token to use as a key handle ... at > least not without significantly altering the current protocol. Right - you wouldn't be doing pubkey authentication any more, you'd be doing some new authentication method. I chose not to go this way when implementing FIDO support in OpenSSH because SSH users are familiar with public key authentication and there is a large amount of infrastructure that already uses them. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
