webauthn signatures: SecurityKeyProvider, json parsing

Scott C Wang wangsc at cs.wisc.edu
Wed Jan 12 16:18:49 AEDT 2022


Thanks! Indeed, Brian and Kevin are right, the user experience does resemble OIDC. Besides Brian's suggestion of HashiCorp Vault, I've also heard of Smallstep, which are great out-of-the-box solutions. And, to Peter's point, OIDC is significantly more complex than what I came up with ....

Having said that, there is only one user logging into this homelab machine, so OIDC would be a bit overkill for now :) Eventually, the homelab will expand, whereupon I'll definitely put OIDC in front of ssh and other services besides.

In any case, in this thread I really only wanted to probe the potential of OpenSSH's webauthn support -- there isn't actually an acute problem I need to solve apart from playing with this ball of yarn for a bit.


Scott C Wang


From: openssh-unix-dev <openssh-unix-dev-bounces+wangsc=cs.wisc.edu at mindrot.org> on behalf of Brian Candler <b.candler at pobox.com>
Sent: 11 January 2022 13:24
To: openssh-unix-dev at mindrot.org <openssh-unix-dev at mindrot.org>
Subject: Re: webauthn signatures: SecurityKeyProvider, json parsing 
 
On 11/01/2022 18:52, Fox, Kevin M wrote:
> Sounds kind of like oidc but with webauthn switched out for some of the plumbing. Would straight up oidc work cleaner for your use case? You can still use all sorts of authentication methods like fingerprints with it.

You can also trade an OIDC login for an SSH certificate, using Hashicorp 
Vault (amongst other solutions)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list