Adding FIDO / WebAuthn to sshd
Mantas Mikulėnas
grawity at gmail.com
Fri Apr 27 17:41:18 AEST 2018
On 2018-04-27 08:20, Adam Powers wrote:
> I was thinking that it might be interesting to add FIDO [1] / WebAuthn [2]
> to sshd to enable users to login remotely using biometrics. (Note that
> WebAuthn is currently being implemented in Windows 10 and Google Android,
> so there will be a large number of clients that could support this
> natively.) Unfortunately, the challenge / response scheme used by those
> protocols doesn't fit well with PAM because PAM assumes that it is sending
> a relatively small password prompt and receiving a relatively small
> password back.
>
> But a quick read through sshd.c shows that maybe I could have my own #ifdef
> similar to USE_PAM to integrate FIDO / WebAuthn. My questions are:
There have already been proposed patches for U2F as a new standalone SSH
authentication method:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-December/033262.html
Since clients will need to be updated *anyway* to support WebAuthn, I
think a new auth method is more suitable than trying to hack it via
password auth.
--
Mantas Mikulėnas <grawity at gmail.com>
More information about the openssh-unix-dev
mailing list