u2f seed
David Lang
david at lang.hm
Mon Jan 6 13:51:50 AEDT 2020
On Mon, 6 Jan 2020, Damien Miller wrote:
> On Fri, 3 Jan 2020, David Lang wrote:
>
>> On Fri, 3 Jan 2020, Christian Weisgerber wrote:
>>
>>> David Lang:
>>>
>>>> not supporting authentication from multiple machines seems to defeat the
>>>> purpose of adding u2f support.
>>>
>>> It works just like other SSH key types. You have a private SSH key
>>> and a public one, and you can copy the private key to multiple
>>> machines or load it into ssh-agent and use agent forwarding.
>>>
>>> The only difference is that the private SSH key on its own is
>>> insufficient and requires the cooperation of the FIDO/U2F authenticator.
>>
>> part of the value of u2f is that there is not anything that you need to
>> install on every system.
>
> Well, see what I said earlier about resident keys. If you have a FIDO2 token
> and generate a resident key then you don't need to pre-arrange anything.
I'd much rather register the token with each foreign host than have to install a
key on all devices that I may end up authenticating from.
>> As I said, Google has a modified sshd that they use with u2f keys that does
>> not require anything be copied or stored on the client machine.
>
> I'm fairly sure that this isn't the case. Can you point me at some
> documentation of this?
I worked there and could use my token from any computer without having to do
anything other than insert the key. As a SRE, I also carried an encrypted USB
drive that contained one-time-passwords just in case then u2f based tokens
didn't work.
David Lang
More information about the openssh-unix-dev
mailing list