[PATCH] U2F support in OpenSSH

Thomas Habets thomas at habets.se
Sat Dec 27 20:53:49 EST 2014 

On 24 December 2014 at 18:57, Michael Stapelberg
<stapelberg+openssh at google.com> wrote:
> In case you’re interested, please feel free to try the patch. I’m happy for
> any feedback. All you need is libu2f-host installed and a clean copy of
> OpenSSH 6.7p1. Apply the attached patch, delete configure, use autoreconf
> -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH.

Transferring my notes from the other thread:

1) PAM doesn't work (--with-pam, then UsePAM yes and
ChallengeResponseAuthentication yes)
Fix: detect loops in ssh2connect:userauth_u2f in some other way, such
as a dedicated variable in authctxt. (but also see point 5)

2) origin doesn't seem to be respected by YubiKeys (if I understand
the spec correctly)
Is AppID a better choice for this reason?

3) Include paths (probably bug in libu2f-host)
This is https://github.com/Yubico/libu2f-host/issues/13 that you filed.

4) What happened to 51?
        MONITOR_REQ_TERM = 50,
+       MONITOR_REQ_READUSERU2FKEY = 52, MONITOR_ANS_READUSERU2FKEY = 53,

5) Why does registration connect to the server anyway, if the server
doesn't keep state and origin is not tied to the server pubkey?
Indeed, without AuthenticationMethods registration returns the blob before
password prompt is shown.
Registration only makes sense if server writes the key handle to
~/.ssh/authorized_keys, right?
Hmm, unless authorized_keys is signed by the server, the registration
process will never be "online" asyway, as U2F intends, so it may as
well be generated on the client and copy-pasted into the server's
authorized_keys. Enforced origin (but point 2) should prevent
accidentally pasting the same blob to multiple servers).

Tested on:
Ubunty Trusty
OpenSSH 6.7p1
Yubikey Security key


-- 
typedef struct me_s {
 char name[]      = { "Thomas Habets" };
 char email[]     = { "thomas at habets.pp.se" };
 char kernel[]    = { "Linux" };
 char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
 char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE  0945 286A E90A AD48 E854" };
 char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

More information about the openssh-unix-dev mailing list