u2f seed

Damien Miller djm at mindrot.org
Mon Jan 6 13:30:41 AEDT 2020

On Fri, 3 Jan 2020, David Lang wrote:

> On Fri, 3 Jan 2020, Christian Weisgerber wrote:
> > David Lang:
> > 
> > > not supporting authentication from multiple machines seems to defeat the
> > > purpose of adding u2f support.
> > 
> > It works just like other SSH key types.  You have a private SSH key
> > and a public one, and you can copy the private key to multiple
> > machines or load it into ssh-agent and use agent forwarding.
> > 
> > The only difference is that the private SSH key on its own is
> > insufficient and requires the cooperation of the FIDO/U2F authenticator.
> part of the value of u2f is that there is not anything that you need to
> install on every system.

Well, see what I said earlier about resident keys. If you have a FIDO2 token
and generate a resident key then you don't need to pre-arrange anything.

> As I said, Google has a modified sshd that they use with u2f keys that does
> not require anything be copied or stored on the client machine.

I'm fairly sure that this isn't the case. Can you point me at some
documentation of this?


More information about the openssh-unix-dev mailing list