OpenSSH support for FIDO RSA keys

[Damien Miller]

On Wed, 25 Aug 2021, James Bottomley wrote:

> > Would it be possible to extend OpenSSH support to include “rsa-sk”
> > keys?
> >
> > Not sure what the process is, but could development of it be
> > sponsored?
>
> The FIDO standard requires ECDSA keys (mainly, I suspect, because some
> of the space constraints in the protocol are too small for RSA) so I
> don't believe, even if you hacked the standard to support RSA keys,
> that it would work in practice.

AFAIK the FIDO2 standards include RSA keys, though I'm not aware of any
physical FIDO tokens that support them (caveat: I haven't looked much).

Adding another key type to OpenSSH is expensive - it needs to be plumbed
through a lot of code, tests need to be written, documentation updated
and fuzzing seed corpora need to be created. Maintenance once it has
been added is less onerous, but still a factor - each supported key type
basically increases the multiple (currently 7) of code paths that need
care, test coverage and fuzzing.

OTOH it's really hard to *remove* a key type, because there's always
someone, somewhere with some use case that wants it. I'm expecting a big
fight when I eventually push to remove ssh-dss, an algorithm that is
demonstrably insecure, despite it being disabled by default for a long
time. So anything we add, we're almost certainly on the hook to support
for a decade+

Because of this, I'm quite reticent to add more key types without a
really compelling reason.

In the case of RSA/FIDO, it's really to support a single vendor
(admittedly an important one), but using an algorithm (RSA) which almost
everyone is moving away from in favour of elliptic-curve crypto, and
that seems was chosen to support a legacy hardware standard (TPM 1.x)
that is already superseded.

It feels like adding FIDO/RSA is like running towards where the ball was
a year ago rather than where it will be in the near future.

-d