Thanks! Indeed, Brian and Kevin are right, the user experience does resemble OIDC. Besides Brian's suggestion of HashiCorp Vault, I've also heard of Smallstep, which are great out-of-the-box solutions. And, to Peter's point, OIDC is significantly more complex than what I came up with .... Having said that, there is only one user logging into this homelab machine, so OIDC would be a bit overkill for now :) Eventually, the homelab will expand, whereupon I'll definitely put OIDC in front of ssh and other services besides. In any case, in this thread I really only wanted to probe the potential of OpenSSH's webauthn support -- there isn't actually an acute problem I need to solve apart from playing with this ball of yarn for a bit. Scott C Wang From: openssh-unix-dev <openssh-unix-dev-bounces+wangsc=cs.wisc.edu@xxxxxxxxxxx> on behalf of Brian Candler <b.candler@xxxxxxxxx> Sent: 11 January 2022 13:24 To: openssh-unix-dev@xxxxxxxxxxx <openssh-unix-dev@xxxxxxxxxxx> Subject: Re: webauthn signatures: SecurityKeyProvider, json parsing On 11/01/2022 18:52, Fox, Kevin M wrote: > Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it. You can also trade an OIDC login for an SSH certificate, using Hashicorp Vault (amongst other solutions) _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
