On Tue, 11 Jan 2022, Scott C Wang wrote: > Damien, thanks for clarifying. > > (1 SecurityKeyProvider) > > I don't have a FIDO security key, but I do have an Android phone, and > the Android phone can act as a webauthn key via Google Chrome. So > these were the shower thoughts I had for getting this to work. > > I implement a SecurityKeyProvider that prints a https URL upon > sk_sign. I open this URL in Google Chrome. The script on the page > calls the webauthn authentication API; Google Chrome prompts > me to choose an authentication method, and I pick my phone. > Authenticating my fingerprint on my phone yields a webauthn signature > to the script, which POSTs the signature, origin, clientData, and > extensions back to the same URL. The SecurityKeyProvider polls > the URL (or some endpoint) until the signature arrives, which it > returns, along with the origin, clientData, and extensions, to the > OpenSSH client. The OpenSSH client now has what it needs to pack a > "webauthn-sk-ecdsa-sha2-nistp256@xxxxxxxxxxx" signature message, all > of which the OpenSSH server currently already supports validating. > > More generally, this one SecurityKeyProvider implementation would be > able to bridge the OpenSSH client's security key authentication to any > platform running a web browser exposing the webauthn API. > > I've only given preliminary thought to this as yet -- have I gone mad? No, I've wondered about the same thing too :) As far as communicating with the webauthn signer via the ssh-sk API, nothing in OpenSSH uses the extensions field and the existing application field could be used to pass origin. AFAIK clientData is prepared from origin, extensions and H(message), so there's not need to pass that explicitly. That just leaves signalling that the signer wants an origin rather than a bare application, and signalling back from the signer that the signature should be packed as a webauthn one. Am I missing anything? (I apologise for forgetting most of the details since I implemented webauthn in OpenSSH) > (2 json key order) Perfect! Very prudent. > > (3 mindrot.org) Excellent, thank you for the link. (I was trying > /webauthn.html, but hadn't thought to try /webauthn.) Perhaps > the hardcoded "mindrot.org" relying party can be changed to > window.location.host, so that the standalone page can be hosted > without modification on anyone's domain. good idea - done. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
