[PATCH] U2F support in OpenSSH
Michael Stapelberg
stapelberg+openssh at google.com
Fri Feb 27 02:07:22 AEDT 2015
At this point it should be obvious, but let me state that I don’t have
motivation/time to spend on this right now, given that upstream shows 0
interest in this at all :(.
Hence, any help on this is welcome.
On Sat, Dec 27, 2014 at 1:53 AM, Thomas Habets <thomas at habets.se> wrote:
> On 24 December 2014 at 18:57, Michael Stapelberg
> <stapelberg+openssh at google.com> wrote:
> > In case you’re interested, please feel free to try the patch. I’m happy
> for
> > any feedback. All you need is libu2f-host installed and a clean copy of
> > OpenSSH 6.7p1. Apply the attached patch, delete configure, use autoreconf
> > -i to regenerate it, then run ./configure --with-u2f and compile OpenSSH.
>
> Transferring my notes from the other thread:
>
> 1) PAM doesn't work (--with-pam, then UsePAM yes and
> ChallengeResponseAuthentication yes)
> Fix: detect loops in ssh2connect:userauth_u2f in some other way, such
> as a dedicated variable in authctxt. (but also see point 5)
>
> 2) origin doesn't seem to be respected by YubiKeys (if I understand
> the spec correctly)
> Is AppID a better choice for this reason?
>
> 3) Include paths (probably bug in libu2f-host)
> This is https://github.com/Yubico/libu2f-host/issues/13 that you filed.
>
> 4) What happened to 51?
> MONITOR_REQ_TERM = 50,
> + MONITOR_REQ_READUSERU2FKEY = 52, MONITOR_ANS_READUSERU2FKEY = 53,
>
> 5) Why does registration connect to the server anyway, if the server
> doesn't keep state and origin is not tied to the server pubkey?
> Indeed, without AuthenticationMethods registration returns the blob before
> password prompt is shown.
> Registration only makes sense if server writes the key handle to
> ~/.ssh/authorized_keys, right?
> Hmm, unless authorized_keys is signed by the server, the registration
> process will never be "online" asyway, as U2F intends, so it may as
> well be generated on the client and copy-pasted into the server's
> authorized_keys. Enforced origin (but point 2) should prevent
> accidentally pasting the same blob to multiple servers).
>
> Tested on:
> Ubunty Trusty
> OpenSSH 6.7p1
> Yubikey Security key
>
>
> --
> typedef struct me_s {
> char name[] = { "Thomas Habets" };
> char email[] = { "thomas at habets.pp.se" };
> char kernel[] = { "Linux" };
> char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" };
> char pgp[] = { "A8A3 D1DD 4AE0 8467 7FDE 0945 286A E90A AD48 E854" };
> char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" };
> } me_t;
>
More information about the openssh-unix-dev
mailing list