Stuart Henderson wrote:
This is why I push for challenge/response tokens, not simply
cert authentication, and really wish that FIDO (such as yubikey)
was an option, but the discussions I've seen about suporting
that have not been encouraging.
hmm? That works pretty well in OpenSSH.
hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the
server, instead it looks like a public/private key that's unlocked with a touch,
possibly storing the private key on the hardware dongle (but it seems like
there's still a key you need to put on the client system)
Quoting from the yubikey website:
OpenSSH version 8.2p1 added support for FIDO hardware authenticators. FIDO
devices are supported by the public key types “ecdsa-sk” and “ed25519-sk", along
with corresponding certificate types.
It then goes on to talk about generating the key with ssh-keygen
I could easily be missing something about this.
David Lang
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev