webauthn signatures: SecurityKeyProvider, json parsing

Fox, Kevin M Kevin.Fox at pnnl.gov
Wed Jan 12 05:52:08 AEDT 2022 

Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it.

________________________________________
From: openssh-unix-dev <openssh-unix-dev-bounces+kevin.fox=pnnl.gov at mindrot.org> on behalf of Peter Stuge <peter at stuge.se>
Sent: Tuesday, January 11, 2022 10:31 AM
To: openssh-unix-dev at mindrot.org
Subject: Re: webauthn signatures: SecurityKeyProvider, json parsing

Check twice before you click! This email originated from outside PNNL.


Scott C Wang wrote:
> I implement a SecurityKeyProvider that prints a https URL upon sk_sign.
> I open this URL in Google Chrome. The script on the page calls the
> webauthn authentication API; Google Chrome prompts me to choose an
> authentication method, and I pick my phone. Authenticating my
> fingerprint on my phone yields a webauthn signature to the script,
> which POSTs the signature, origin, clientData, and extensions back
> to the same URL. The SecurityKeyProvider polls the URL (or some
> endpoint) until the signature arrives, which it returns, along with
> the origin, clientData, and extensions, to the OpenSSH client.
> The OpenSSH client now has what it needs to pack a
> "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com" signature message,
> all of which the OpenSSH server currently already supports validating.
..
> have I gone mad?

FWIW I think the data spray and the complexity are mad, each on their own.

I guess that it'll be popular, I hope not in mainline OpenSSH. ;)


//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.mindrot.org%2Fmailman%2Flistinfo%2Fopenssh-unix-dev&data=04%7C01%7CKevin.Fox%40pnnl.gov%7Ce22d8ea52399494a387208d9d530e42a%7Cd6faa5f90ae240338c0130048a38deeb%7C0%7C0%7C637775228267088932%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=DHoJZiyxh8w35fqkDuauIVmnPFOH9mgZxECsdcoEckQ%3D&reserved=0

More information about the openssh-unix-dev mailing list