> That's true of FIDO web authentication. What we implemented in SSH > (ab-)uses the FIDO spec to fit SSH's existing publickey user > authentication, because users and lots of tooling is built around that. > > This unfortunately precluded the use of server-side keys, as there is no > mechanism for the server to communicate key handles to the client. > > I do have vague plans to do a more web-like FIDO authentication method > for OpenSSH in the future, but haven't got around to it yet. > FWIW after taking on board the discussion from this previously I did go off and implement a proof-of-concept for this via ssh-extensions. If the client and server understood the extension you get to use server-side keys otherwise it fell back to the current implementation. Seemed to work fine. I'd planned to spend some of early June turning it from a proof-of-concept into something more review suitable to bring back here for people to have a go with. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
