[PATCH] U2F support in OpenSSH

Damien Miller djm at mindrot.org
Fri Feb 27 05:57:08 AEDT 2015


On Thu, 26 Feb 2015, Michael Stapelberg wrote:

>       Now it's great that the protocol spec is there to look at, but
>       it still
>       requires more familiarity with the rest of U2F than I have at
>       present.
>       The code as it stands also AFAIK requires an
>       incompatibly-licensed
>       helper library. Neither of these problems are insumountable, but
>       they do
>       make it harder to start.
>
>
> Agreed. I want to point out that you still haven?t clarified the (to
> me) crucial question, so let me ask you directly:
>
> Do you think, right now, based only on the information you have so
> far, that you?ll eventually merge a patch adding U2F to OpenSSH? It?s
> okay to reverse your decision later and I?m not taking this as a
> promise, but what I do want to know is the upstream sentimen, i.e. if
> you?re rather adverse to having U2F support in OpenSSH at all.

I'm not opposed to it, but U2F is pretty new and I'd probably like to
see how it pans out for a bit first, both in terms of changes made to
the upstream protocol and in how widely adopted it becomes.

New auth/crypto protocols frequently get revised after some contact with
the wider world so there is a cost for early adopters who frequently
have to maintain both revised and legacy versions.

New protocols also often fail in the market (admittedly less likely
in this case, given the industry support), in which case we're doubly
burdened with the hassle of implementing/merging as well as maintaining
or pissing off users if we deprecate. On the flip side, if there is
wide adoption and consequent demand then that can certainly focus my
attention :)

Of course, I'm speaking only for myself and my own priorities. One of
the other developers might feel differently.

-d


More information about the openssh-unix-dev mailing list