FIDO2 resident credentials
Pavol Rusnak
stick at satoshilabs.com
Wed Jan 8 05:39:50 AEDT 2025
Thanks Christian for your answer.
However, it seems to me you are contradicting yourself.
First, you argue that the reason why not to put FIDO RK handle into pub
stored on the server is because this makes it impossible to log in with a
stolen authenticator (unless you have the corresponding sk file).
Later you argue that using ssh -K to download the FIDO handle is safe
because this is allowed only when a correct PIN/fingerprint is provided.
Why a correct PIN/fingerprint argument cannot be used for the first point?
We are working under assumption that a stolen authenticator is useless (to
use with SSH) without providing the correct PIN/fingerprint.
Also it seems you ignored the part saying:
> I see no justifiable reason why to load resident keys from a FIDO
authenticator to the SSH client computer, which is what `ssh-add -K` does.
The normal way to work with resident credentials is to specify the RP ID
`ssh:` in the authentication request to the authenticator.
but that might be probably related to the point I raised above indicating
you are working with different set of assumptions than we are.
--
Best Regards / S pozdravom,
Pavol "Stick" Rusnak
Co-Founder, SatoshiLabs
More information about the openssh-unix-dev
mailing list