[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature type not supported from ssh agent
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Nov 5 04:31:21 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3748
--- Comment #5 from bmhomer13 at gmail.com ---
Ok, turns out the second issue with the server-side check was entirely
my fault. We were hashing the challenge and it was also getting doubly
base64 encoded. Once fixed the server-side check passes.
The original problem with the client-side check however I think is a
genuine issue. One way I found to get around this, besides disabling
the check
(https://github.com/openssh/openssh-portable/blob/88b35cbdc1500efece65cd6a9a20a72cf7e46eaa/authfd.c#L440-L442
) entirely, is to just get the agent to return
"sk-ecdsa-sha2-nistp256 at openssh.com" as the format, but pass the full
webauthn signature structure
(https://github.com/openssh/openssh-portable/blob/bb52e70fa5330070ec9a23069c311d9e277bbd6f/PROTOCOL.u2f#L212).
Then on the server side, just detect that it's a webauthn signature
based on the structure, rather than the key type (by modifying the code
here a bit:
https://github.com/openssh/openssh-portable/blob/master/ssh-ecdsa-sk.c#L288).
I guess that's probably not a viable fix for me to push upstream - just
mentioning as a possible server-side solution, as in our case we have
more control over the server-side deployment.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list