Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it. ________________________________________ From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov@xxxxxxxxxxx> on behalf of Peter Stuge <peter@xxxxxxxx> Sent: Tuesday, January 11, 2022 10:31 AM To: openssh-unix-dev@xxxxxxxxxxx Subject: Re: webauthn signatures: SecurityKeyProvider, json parsing Check twice before you click! This email originated from outside PNNL. Scott C Wang wrote: > I implement a SecurityKeyProvider that prints a https URL upon sk_sign. > I open this URL in Google Chrome. The script on the page calls the > webauthn authentication API; Google Chrome prompts me to choose an > authentication method, and I pick my phone. Authenticating my > fingerprint on my phone yields a webauthn signature to the script, > which POSTs the signature, origin, clientData, and extensions back > to the same URL. The SecurityKeyProvider polls the URL (or some > endpoint) until the signature arrives, which it returns, along with > the origin, clientData, and extensions, to the OpenSSH client. > The OpenSSH client now has what it needs to pack a > "webauthn-sk-ecdsa-sha2-nistp256@xxxxxxxxxxx" signature message, > all of which the OpenSSH server currently already supports validating. .. > have I gone mad? FWIW I think the data spray and the complexity are mad, each on their own. I guess that it'll be popular, I hope not in mainline OpenSSH. ;) //Peter _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&data=04%7C01%7CKevin.Fox%40pnnl.gov%7Ce22d8ea52399494a387208d9d530e42a%7Cd6faa5f90ae240338c0130048a38deeb%7C0%7C0%7C637775228267088932%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=DHoJZiyxh8w35fqkDuauIVmnPFOH9mgZxECsdcoEckQ%3D&reserved=0 _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
