Re: u2f seed

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 3 Jan 2020, Christian Weisgerber wrote:

David Lang:

not supporting authentication from multiple machines seems to defeat the
purpose of adding u2f support.

It works just like other SSH key types.  You have a private SSH key
and a public one, and you can copy the private key to multiple
machines or load it into ssh-agent and use agent forwarding.

The only difference is that the private SSH key on its own is
insufficient and requires the cooperation of the FIDO/U2F authenticator.

part of the value of u2f is that there is not anything that you need to install on every system.

turning u2f into just a way to unlock ssh keys may be an easy way to use a u2f key, but it's missing out on the value of u2f.

As I said, Google has a modified sshd that they use with u2f keys that does not require anything be copied or stored on the client machine.

Yes, it modifies the protocol to pass a server/application name, but why is it bad to add a new authentication mechanism? There is provision for the ssh protocol to issue a prompt for a password, that could be (ab)used to pass the name needed for u2f to work properly.

David Lang
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux