Hey everyone! We just added support (maybe a first?) for Webauthn keys in Blink. Everything seems to be working great except in one scenario, using them with our agent. You can see a quick demo here: https://twitter.com/BlinkShell/status/1570427813819486212?s=20&t=2GNv08ro2zyBcI14DK4tIA The implementation is making use of Passkeys and Secure Keys with Webauthn support. I think the interesting part is how easy creating and using keys like this is, and maybe future use cases would showcase more possibilities for Webauthn keys. This is all based on Damien Miller’s test projects (thanks a lot!) but as mentioned, the Client-Agent (at sshconnect2.c) will not accept webauthn-sk signatures at the moment. The setup is that we use our Agent to forward a key to the remote. Then when trying to sign with this key, the SSH Client is expecting a sk-ecdsa signature type, but our agent can only provide a webauthn-sk-ecdsa type. The issue seems to be that the sign_and_send_pubkey will expect a sk-ecdsa signature in all cases, and not a webauthn-sk-ecdsa. We have been reading the code to see if we could bend things somehow, but it looks like everywhere that a transform from key to signature-algorithm happens, will always result in the sk-ecdsa type. We also tried different flags for Accepted Pubkeys, disabling sk-ecdsa, trying to set webauthn-sk type at the top, all with no luck. On the SSHD side when logging in, this is not an issue as both are accommodated during validation. Are we missing something that could make things work? Is there anything from our side that we could do to try things out or to support this scenario? Tons of thanks for any guidance!! _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
