[PATCH] Early request for comments: U2F authentication

Ángel González keisial at gmail.com
Tue Dec 2 12:01:59 EST 2014

Michael Stapelberg wrote:
> Thank you very much for any replies :).
> I haven’t seen any replies yet, and it’s been almost a week. It could
> just be that none of you care, or all who care are incredibly busy.
> Still, I’d appreciate a “don’t know about the details, but we’ll most
> likely merge your patch” so that I know any further work on this is
> not in vain :).
> Thank you!
Now it has been almost a month. :)

In case it is helpful, here are my 2 cents:
1) It looks cool to support U2F in openssh.
2-3) No, sshd writing the users authorized_keys file doesn't seem a good 
idea :)
I would put the client registration process in ssh-copy-id

4) For the server to identify itself, the only think it knows about its 
identity is its own [set of] host key. The hostname or gethostid(2) can 
be quite useless. Perhaps a sshd_config param? :/

5) Looks good. From the client point of view, I would use 
hostname[:port], as currently checked by ssh in known_hosts. That seems 
more consistent with ssh way. I also suspect that using the server 
fingerprint would allow some attacks, in addition of avoiding possible 
issues with multiple hosts with the same key (shared fs, cloned 
machines…).  Note that if the server is exposed to the origin value, it 
may deserve to be hidden (hashed?) first  (I understand the server shall 
treat the origin as an opaque value)

7) Wouldn't ERR_load_crypto_strings() be enough?

> +// TODO: use auth_info() so that in log messages about accepted auths we will see a message that identifies the key. perhaps we can just use the human readable suffix that you can specify in the authorized_keys file(s)?
Just that suffix won't help root to figure things out. A fingerprint 
-like it's now provided for public keys- could help here.

And a few u2f questions: What is the purpose of the challenge provided 
by the server on registration? What is a u2f key expected to do if asked 
to register an system it already has already registered? Should it be 
appended or replaced?


More information about the openssh-unix-dev mailing list