u2f seed
Fox, Kevin M
Kevin.Fox at pnnl.gov
Wed Jan 1 06:02:36 AEDT 2020
When using openssh with a u2f key, you generate a key via:
ssh-keygen -t ecdsa-sk
Each time you run it, it gives a different key pair. (Randomly seeming).
A differently generated key pair is not valid with the first's public key.
All good so far, but you run into a problem if:
You generate a keypair (A).
You register your public key for (A) on a bunch of ssh servers.
You take your fido2 key to a second client machine and try and login to your servers.
It kind of defeats the purpose of being able to have a portable keyfob.
If there was a way to seed the generation phase manually, then the same seed can be used on each client machine so that the ssh pub/private key doesn't have to be transferred along with the u2f keyfob?
Thanks,
Kevin
More information about the openssh-unix-dev
mailing list