Re: webauthn signatures: SecurityKeyProvider, json parsing

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Thanks! Indeed, Brian and Kevin are right, the user experience does resemble OIDC. Besides Brian's suggestion of HashiCorp Vault, I've also heard of Smallstep, which are great out-of-the-box solutions. And, to Peter's point, OIDC is significantly more complex than what I came up with ....

Having said that, there is only one user logging into this homelab machine, so OIDC would be a bit overkill for now :) Eventually, the homelab will expand, whereupon I'll definitely put OIDC in front of ssh and other services besides.

In any case, in this thread I really only wanted to probe the potential of OpenSSH's webauthn support -- there isn't actually an acute problem I need to solve apart from playing with this ball of yarn for a bit.


Scott C Wang


From: openssh-unix-dev <openssh-unix-dev-bounces+wangsc=cs.wisc.edu@xxxxxxxxxxx> on behalf of Brian Candler <b.candler@xxxxxxxxx>
Sent: 11 January 2022 13:24
To: openssh-unix-dev@xxxxxxxxxxx <openssh-unix-dev@xxxxxxxxxxx>
Subject: Re: webauthn signatures: SecurityKeyProvider, json parsing 
 
On 11/01/2022 18:52, Fox, Kevin M wrote:
> Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it.

You can also trade an OIDC login for an SSH certificate, using Hashicorp 
Vault (amongst other solutions)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux