u2f seed

Fox, Kevin M Kevin.Fox at pnnl.gov
Fri Jan 3 10:35:27 AEDT 2020

>From my understanding, somehow a website talking through the web browser is able to get the same keypair used no matter which computer the keyfob is plugged into. I'm wondering if we can use the same mechanism there. If application is part of the process, maybe allowing the application to be specified by the user rather then being randomly generated by openssh would be enough?


From: Damien Miller <djm at mindrot.org>
Sent: Thursday, January 2, 2020 2:36 PM
To: Fox, Kevin M
Cc: openssh-unix-dev at mindrot.org
Subject: Re: u2f seed

On Thu, 2 Jan 2020, Fox, Kevin M wrote:

> In the u2f protocol, my understanding is in the normal case, the web
> browser seeds the keypair process with the hostname of the remote
> server. In the case of ssh, the hostname is probably not what I would
> want to do. But the u2f protocol seems to have a way to handle this.
> It just needs to be exposed to the user. The content of the private
> keyfile in ssh is generated somehow. Where is that done?

The key generation is done solely by the token. There are several
strings (challenge, application) that OpenSSH sends to the token that
are inputs the the process, but I'd expect most tokens would have
onboard CSPRNGs that they use the actually generate the keys.


More information about the openssh-unix-dev mailing list