[Bug 2319] [PATCH REVIEW] U2F authentication

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Feb 20 00:45:42 AEDT 2015


Matt Johnston <matt at ucc.asn.au> changed:

           What    |Removed                     |Added
                 CC|                            |matt at ucc.asn.au

--- Comment #10 from Matt Johnston <matt at ucc.asn.au> ---
(I'm looking at

I think it would be worth using the 32 byte "challenge" to bind the
authentication to the current SSH session. Otherwise an attacker
running a SSH server can get their clients to sign a response for
another server if they know an entry from authorized_keys (because of
origin/appid of ssh://localhost)?

Maybe something like

challenge = chal_sess_hash | 16_random_bytes

where chal_sess_hash is a 16 byte truncated sha256 hash of
      string    session identifier
      string    user name
      string    service name
      string    "u2f"

The client MUST check that the first 16 bytes is correct - that's
slightly more complexity (decoding JSON) though the code's already
there for the server. 

That would also improve resistance to MITM even if the server hostkey
is compromised/ignored. Existing SSH public key authentication does
that by including the sessionid in the hash being signed (rfc4253 page

For integration with SSH I think a constant origin/appid string is
probably useful - people expect to be able to connect to a host at
varying IPs/hostnames. Copy/pasting from one host's authorized_keys to
another is also common practise.

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list