Fwd: sk-api suggestions

Damien Miller djm at mindrot.org
Tue Mar 10 10:34:09 AEDT 2020


Thanks - this seems perfectly reasonable. I'll queue this for a bit as
I think it's fairly likely that we'll make some other changes that will
require an API break, and I'd like to do them all at once.

-d

On Mon, 9 Mar 2020, Reza Tavakoli wrote:

> Here is the patch I've used.
> I've also changed sk-dummy.c but seems like I can't invoke it properly(no
> test fail in any case).So far with these changes everything is working
> fine(I SSHed to myself with both internal implementation and my custom
> module)
> 
> On Fri, Mar 6, 2020 at 2:50 AM Damien Miller <djm at mindrot.org> wrote:
>       On Thu, 5 Mar 2020, Reza Tavakoli wrote:
> 
>       > Hello,
>       >
>       > I'm helping the Git for windows team and contributing in
>       git-for-windows
>       > repository to help expand the OpenSSH support for fido2
>       devices on Windows.
>       > Currently we are using your internal
>       implementation(sk-usbhic.c) however
>       > since Windows 10 version 1903 this requires administrator
>       privileges.
>       >
>       > I'm trying to create a module for OpenSSH to use webauthn.dll
>       instead of
>       > direct calling to libfido2 to eliminate the need for
>       administrator
>       > privileges
>       > I noticed that in ssh-sk.c in function sshsk_sign you hash the
>       input data
>       > before passing it to external module sk_sign function. The
>       problem is,
>       > Windows API automatically hash the input before sending it to
>       fido device,
>       > so I need to receive the data without hashing to be able to
>       use this or
>       > else the data will be hashed two times and verification will
>       fail.
>       >
>       > May I suggest that you do this part inside sk_sign command so
>       the module
>       > using your sk-api.h interface can do this if it's needed?
> 
>       That sounds reasonable - do you have a patch you can share? We'd
>       need to
>       increase the SSH_SK_VERSION_MAJOR, but we'll probably do that
>       before the
>       next release anyway.
> 
>       -d
> 
> 
> 


More information about the openssh-unix-dev mailing list