Adding FIDO / WebAuthn to sshd

Adam Powers apowers at ato.ms
Fri Apr 27 15:20:22 AEST 2018


I was thinking that it might be interesting to add FIDO [1] / WebAuthn [2]
to sshd to enable users to login remotely using biometrics. (Note that
WebAuthn is currently being implemented in Windows 10 and Google Android,
so there will be a large number of clients that could support this
natively.) Unfortunately, the challenge / response scheme used by those
protocols doesn't fit well with PAM because PAM assumes that it is sending
a relatively small password prompt and receiving a relatively small
password back.

But a quick read through sshd.c shows that maybe I could have my own #ifdef
similar to USE_PAM to integrate FIDO / WebAuthn. My questions are:

1. Is that the right approach?
2. What are the guidelines around making a contribution like this and / or
would you guys be interested in this contribution?
3. Anyone want to help? :)

Thanks,
Adam

[1] https://fidoalliance.org/download/
[2] https://www.w3.org/TR/webauthn/


More information about the openssh-unix-dev mailing list