[Bug 3498] New: Support for unlocking keys with more than one FIDO/WebAuthn token

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Nov 8 03:08:46 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3498

            Bug ID: 3498
           Summary: Support for unlocking keys with more than one
                    FIDO/WebAuthn token
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bugzilla.mindrot at me.benboeckel.net

I'd like to be able to have a single key be unlocked by multiple
FIDO/WebAuthn tokens instead of having one-to-one. The problem is that
I juggle dozens of keys (I prefer one key per "service"; $DAYJOB also
has a setup where keys get access to specific resources using
rrsync[1], so a key-per-resource is required) as it is and having to
double (or triple) it for robust backups feels excessive.

Specifically, what would be nice-to-have:

- support for multiple FIDO/WebAuthn tokens to be able to unlock a
private key
- ability to add a new token to be able to unlock an existing private
key
- the public key should not know/care about which token unlocked the
private key (i.e., should not change after adding a token)

I don't think this supports the mechanism where part of the private key
is stored on the token itself; I think that's fine as now to support
the second point is really questionable if part of the key is
token-locked.

[1] https://download.samba.org/pub/rsync/rrsync.1

(I tried searching for existing issues, but I just get errors about
malformed redirects.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list