Re: Security of ssh across a LAN, public key versus password

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



David Lang:

> hmm, what I'm finding doesn't seem to use the FIDO challenge/response to the
> server,

It does.  That's why new key types (ECDSA-SK, ED25519-SK) were
required to accommodate the existing FIDO challenge/response format.

> instead it looks like a public/private key that's unlocked with a
> touch, possibly storing the private key on the hardware dongle (but it seems
> like there's still a key you need to put on the client system)

In the U2F/FIDO WebAuthn model,
* on key generation
  . the private key is kept on the authenticator,
  . the public key and a key handle are sent to the remote server,
* and on key use
  . the remote server sends a challenge and includes the key handle,
  . the authenticator generates a response.

With OpenSSH,
* on key generation
  . the FIDO private key is kept on the authenticator,
  . the FIDO public key becomes the SSH public key,
  . the FIDO key handle makes up the SSH private key,
* and on key use
  . the remote server sends a FIDO challenge, and the SSH client
    supplies the FIDO key handle to the authenticator,
  . the authenticator generates a FIDO response which the SSH client
    forwards to the remote server.

The only principal difference is the disposition of the FIDO key handle.

-- 
Christian "naddy" Weisgerber                          naddy@xxxxxxxxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux