[Bug 3498] New: Support for unlocking keys with more than one FIDO/WebAuthn token
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Nov 8 03:08:46 AEDT 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3498
Bug ID: 3498
Summary: Support for unlocking keys with more than one
FIDO/WebAuthn token
Product: Portable OpenSSH
Version: 9.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Smartcard
Assignee: unassigned-bugs at mindrot.org
Reporter: bugzilla.mindrot at me.benboeckel.net
I'd like to be able to have a single key be unlocked by multiple
FIDO/WebAuthn tokens instead of having one-to-one. The problem is that
I juggle dozens of keys (I prefer one key per "service"; $DAYJOB also
has a setup where keys get access to specific resources using
rrsync[1], so a key-per-resource is required) as it is and having to
double (or triple) it for robust backups feels excessive.
Specifically, what would be nice-to-have:
- support for multiple FIDO/WebAuthn tokens to be able to unlock a
private key
- ability to add a new token to be able to unlock an existing private
key
- the public key should not know/care about which token unlocked the
private key (i.e., should not change after adding a token)
I don't think this supports the mechanism where part of the private key
is stored on the token itself; I think that's fine as now to support
the second point is really questionable if part of the key is
token-locked.
[1] https://download.samba.org/pub/rsync/rrsync.1
(I tried searching for existing issues, but I just get errors about
malformed redirects.)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list