Fwd: sk-api suggestions
Damien Miller
djm at mindrot.org
Tue Mar 10 10:34:09 AEDT 2020
Thanks - this seems perfectly reasonable. I'll queue this for a bit as
I think it's fairly likely that we'll make some other changes that will
require an API break, and I'd like to do them all at once.
-d
On Mon, 9 Mar 2020, Reza Tavakoli wrote:
> Here is the patch I've used.
> I've also changed sk-dummy.c but seems like I can't invoke it properly(no
> test fail in any case).So far with these changes everything is working
> fine(I SSHed to myself with both internal implementation and my custom
> module)
>
> On Fri, Mar 6, 2020 at 2:50 AM Damien Miller <djm at mindrot.org> wrote:
> On Thu, 5 Mar 2020, Reza Tavakoli wrote:
>
> > Hello,
> >
> > I'm helping the Git for windows team and contributing in
> git-for-windows
> > repository to help expand the OpenSSH support for fido2
> devices on Windows.
> > Currently we are using your internal
> implementation(sk-usbhic.c) however
> > since Windows 10 version 1903 this requires administrator
> privileges.
> >
> > I'm trying to create a module for OpenSSH to use webauthn.dll
> instead of
> > direct calling to libfido2 to eliminate the need for
> administrator
> > privileges
> > I noticed that in ssh-sk.c in function sshsk_sign you hash the
> input data
> > before passing it to external module sk_sign function. The
> problem is,
> > Windows API automatically hash the input before sending it to
> fido device,
> > so I need to receive the data without hashing to be able to
> use this or
> > else the data will be hashed two times and verification will
> fail.
> >
> > May I suggest that you do this part inside sk_sign command so
> the module
> > using your sk-api.h interface can do this if it's needed?
>
> That sounds reasonable - do you have a patch you can share? We'd
> need to
> increase the SSH_SK_VERSION_MAJOR, but we'll probably do that
> before the
> next release anyway.
>
> -d
>
>
>
More information about the openssh-unix-dev
mailing list