u2f seed

Damien Miller djm at mindrot.org
Fri Jan 3 13:03:14 AEDT 2020

On Thu, 2 Jan 2020, James Bottomley wrote:

> To get this to work with ssh, you need something that corresponds to
> the data that is stored on registration. My understanding of the way
> ssh works is that we don't really have that ... the server expects you
> to sign a challenge which it then compares with your remote public
> key. There's nothing the remote server initially passes back to the
> local that would allow the U2F token to use as a key handle ... at
> least not without significantly altering the current protocol.

Right - you wouldn't be doing pubkey authentication any more, you'd be
doing some new authentication method. I chose not to go this way when
implementing FIDO support in OpenSSH because SSH users are familiar with
public key authentication and there is a large amount of infrastructure
that already uses them.


More information about the openssh-unix-dev mailing list