[Bug 3748] "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature type not supported from ssh agent

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jun 3 05:54:10 AEST 2025


https://bugzilla.mindrot.org/show_bug.cgi?id=3748

--- Comment #7 from Jó Ágila Bitsch <jgilab at gmail.com> ---
I was playing around with certificates signed using an
webauthn-sk-ecdsa-sha2-nistp256 at openssh.com signature today as well,
and they need to also be handled specifically. So this would just mean
update the if statement in my suggested patch to if (ktype ==
KEY_ECDSA_SK || ktype == KEY_ECDSA_SK_CERT)

I tested:
* SSH signatures
* creating ssh certificates with a CA key in an agent
* authenticating to a server with a public key with an agent producing
a webauthn-sk-ecdsa-sha2-nistp256 at openssh.com signature
* authenticating to a server with a certificate with an agent producing
a webauthn-sk-ecdsa-sha2-nistp256 at openssh.com signature

This would cover the most obvious use cases I can think of. Anything
else I should test?

I'll propose a patch over on github later.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list