On Thu, 2021-08-19 at 11:25 +0200, Jan Schermer wrote: > Hello, > I would like to deploy FIDO for SSH. I wanted to leverage Windows > Hello on Windows clients as FIDO backend (so that I don’t have to buy > hw tokens for everyone and for convenience), but evidently my TPM > flavor doesn’t support ECDSA, only RSA. This likely means you have TPM 1.2 > Would it be possible to extend OpenSSH support to include “rsa-sk” > keys? > > Not sure what the process is, but could development of it be > sponsored? The FIDO standard requires ECDSA keys (mainly, I suspect, because some of the space constraints in the protocol are too small for RSA) so I don't believe, even if you hacked the standard to support RSA keys, that it would work in practice. I'd strongly suggest you find a TPM 2.0 system, or simply use a FIDO token via a non-TPM emulator to get ECDSA keys. James _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
