On Mon, 6 Jan 2020, Damien Miller wrote:
On Fri, 3 Jan 2020, David Lang wrote:
On Fri, 3 Jan 2020, Christian Weisgerber wrote:
David Lang:
not supporting authentication from multiple machines seems to defeat the
purpose of adding u2f support.
It works just like other SSH key types. You have a private SSH key
and a public one, and you can copy the private key to multiple
machines or load it into ssh-agent and use agent forwarding.
The only difference is that the private SSH key on its own is
insufficient and requires the cooperation of the FIDO/U2F authenticator.
part of the value of u2f is that there is not anything that you need to
install on every system.
Well, see what I said earlier about resident keys. If you have a FIDO2 token
and generate a resident key then you don't need to pre-arrange anything.
I'd much rather register the token with each foreign host than have to install a
key on all devices that I may end up authenticating from.
As I said, Google has a modified sshd that they use with u2f keys that does
not require anything be copied or stored on the client machine.
I'm fairly sure that this isn't the case. Can you point me at some
documentation of this?
I worked there and could use my token from any computer without having to do
anything other than insert the key. As a SRE, I also carried an encrypted USB
drive that contained one-time-passwords just in case then u2f based tokens
didn't work.
David Lang
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
