Fwd: sk-api suggestions

Damien Miller djm at mindrot.org
Fri Mar 6 10:20:25 AEDT 2020

On Thu, 5 Mar 2020, Reza Tavakoli wrote:

> Hello,
> I'm helping the Git for windows team and contributing in git-for-windows
> repository to help expand the OpenSSH support for fido2 devices on Windows.
> Currently we are using your internal implementation(sk-usbhic.c) however
> since Windows 10 version 1903 this requires administrator privileges.
> I'm trying to create a module for OpenSSH to use webauthn.dll instead of
> direct calling to libfido2 to eliminate the need for administrator
> privileges
> I noticed that in ssh-sk.c in function sshsk_sign you hash the input data
> before passing it to external module sk_sign function. The problem is,
> Windows API automatically hash the input before sending it to fido device,
> so I need to receive the data without hashing to be able to use this or
> else the data will be hashed two times and verification will fail.
> May I suggest that you do this part inside sk_sign command so the module
> using your sk-api.h interface can do this if it's needed?

That sounds reasonable - do you have a patch you can share? We'd need to
increase the SSH_SK_VERSION_MAJOR, but we'll probably do that before the
next release anyway.


More information about the openssh-unix-dev mailing list