On Wed, 5 May 2021, Tyson Whitehead wrote: > I see the PROTOCOL.u2f file defines a webauthn signature type > > string "webauthn-sk-ecdsa-sha2-nistp256@xxxxxxxxxxx" > string ecdsa_signature > byte flags > uint32 counter > string origin > string clientData > string extensions > > and it is also listed as supported by my OpenSSH client and sever > > $ ssh -V > OpenSSH_8.5p1, OpenSSL 1.1.1k 25 Mar 2021 > $ ssh -Q sigs > ... > webauthn-sk-ecdsa-sha2-nistp256@xxxxxxxxxxx > $ ssh -v localhost > ... > debug1: kex_input_ext_info: > server-sig-algs=<...,webauthn-sk-ecdsa-sha2-nistp256@xxxxxxxxxxx> > > I am very curious what this is for and am hoping someone could elaborate in > case it might be useful to us? If I try and limit my connection to it, it > seems to imply there should be some corresponding key type Without knowing your needs I can't really say whether it would be useful to you :) The webauthn signature type (note: note a key type) was added to support browser-based SSH clients that can only interact with FIDO keys via the webauthn APIs. These APIs do not allow "bare" FIDO signatures, but implictly include weborigin information in the signed data. > $ ssh -v -o > PubkeyAcceptedAlgorithms=webauthn-sk-ecdsa-sha2-nistp256@xxxxxxxxxxx localhost > ... > debug1: Skipping sk-ecdsa-sha2-nistp256@xxxxxxxxxxx key > /home/tyson/.ssh/id_ecdsa_sk - corresponding algo not in > PubkeyAcceptedAlgorithms Yeah, I need to add it to myproposal.h so it's in the default accepted set. Until then users need to configure it manually. > Is there anything that currently uses it? Is it to support ssh client running > on a server and proxing back the challenge to user via a web-browser? Part of > certificates somehow? The only thing that AFAIK uses it is the test Javascript that I wrote: regress/unittests/sshsig/webauthn.html in the source distribution. If you stick it on a web server then you can generate FIDO keys and webauthn signatures that you can verify using ssh-keygen -Y. It's the basis of the webauthn signature unit tests. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
