SK API PIN prompt

Matthew Bowen matthew at
Tue Sep 29 11:54:34 AEST 2020


I'm the author of windows-fido-bridge, an OpenSSH SK middleware that allows you to use Microsoft's WebAuthn API in Windows 10 to SSH from Windows Subsystem for Linux into a remote server using a security key. I recently implemented the ability to use windows-fido-bridge with OpenSSH 8.4 and I'm particularly interested in the new support for requiring user verification to login (i.e. requiring a PIN).

One thing I noticed is that ssh and ssh-keygen will prompt you to enter a PIN (if you specify the verify-required option when your SK SSH key was created) before executing the configured middleware. However, Microsoft's WebAuthn API handles the job of asking the user for their PIN and offers no support for an application providing a PIN itself, making this step unnecessary for any app using Microsoft's WebAuthn API. An easy workaround is to simply press Enter when ssh prompts you for the PIN (and in my case, windows-fido-bridge will ignore the provided PIN no matter what you enter), but that makes for a poor user experience.

Would it be possible to provide a way for a middleware to advertise that prompting the user for a PIN is unnecessary, thus allowing ssh to skip that prompt even if the verify-required option is specified? One possibility that comes to mind is adding a new middleware entry point named, e.g. sk_capabilities that returns a struct with a flag indicating whether ssh should prompt for a PIN, but there are of course other possibilities as well.

Let me know what you think :)


More information about the openssh-unix-dev mailing list