webauthn signatures: SecurityKeyProvider, json parsing
Peter Stuge
peter at stuge.se
Wed Jan 12 05:31:22 AEDT 2022
Scott C Wang wrote:
> I implement a SecurityKeyProvider that prints a https URL upon sk_sign.
> I open this URL in Google Chrome. The script on the page calls the
> webauthn authentication API; Google Chrome prompts me to choose an
> authentication method, and I pick my phone. Authenticating my
> fingerprint on my phone yields a webauthn signature to the script,
> which POSTs the signature, origin, clientData, and extensions back
> to the same URL. The SecurityKeyProvider polls the URL (or some
> endpoint) until the signature arrives, which it returns, along with
> the origin, clientData, and extensions, to the OpenSSH client.
> The OpenSSH client now has what it needs to pack a
> "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature message,
> all of which the OpenSSH server currently already supports validating.
..
> have I gone mad?
FWIW I think the data spray and the complexity are mad, each on their own.
I guess that it'll be popular, I hope not in mainline OpenSSH. ;)
//Peter
More information about the openssh-unix-dev
mailing list