FIDO Flags and some other changes

Reza Tavakoli rta.0070 at gmail.com
Mon Oct 5 09:23:07 AEDT 2020 

Hello,
I just want to share my ideas about few things related to fido keys:



   1. Right now, we specify flags like "no-touch-required" and
   "verify-required" during key generation, but I think this information
   should not be attached to keys at generation times, especially because
   servers most accept our keys based on their configurations: for example,
   one server may have "no-touch-required" on it's "authorized_key" file and
   another one doesn't. But we cannot change "no-touch-required" on every
   login since it's permanently attached to its private key. Also, keys
   created with "verify-required" need to have "verify_required" on the server
   config or they will be rejected, and if we add "verify-required" to keys
   which do not have this flag, they'll become useless. My purpose is, these
   options should be configured on ssh configs, so for each server, we can
   specify them as it should be(or select a default with "Host *"). What do
   you think?
   2. Another thing I wanted to share is, with "verify-required", you ask
   for the pin before starting sk module, I think it's not a good idea since
   some modules do not read pin (for example mine, which is using Windows
   Hello, and it needs to ask for the pin on it's UI) And in future, when you
   want to add support for biometric verification, this should be changed.
   3. "-O user" option only set key_id in sk-usbhid.c, you hardcoded name
   and display_name to "openssh", this can make key management hard, most of
   key managers app(like YubiKey manager) only shows the name of the resident
   key, and refuse to delete keys when there are two with the same name, an
   easy fix is to set name and display name to the one requested in "user"
   option (and fallback to "openssh" when the user is not configuring any name
   since they can't be empty)
   4. In the next version of libfido2, a new function named
   fido_cred_authdata_raw_ptr will be added which is same as
   fido_cred_authdata_ptr but its output is not CBOR encoded. I think it's a
   better fit for storing attested data.


Thanks for reading this.
Regards,

More information about the openssh-unix-dev mailing list