Fwd: sk-api suggestions

Reza Tavakoli rta.0070 at gmail.com
Mon May 4 00:15:10 AEST 2020


All looks fine to me, thanks.
You can view the middleware I created (code and a video clip) in
https://github.com/tavrez/openssh-sk-winhello if you are
interested(currently shipped with a custom ssh-sk-helper).
As a side note, sk-api.h is not listed in .depend for ssh-sk.o and
sk-usbhic.o although it's included in both.

On Fri, May 1, 2020 at 8:00 AM Damien Miller <djm at mindrot.org> wrote:

> On Fri, 6 Mar 2020, Damien Miller wrote:
>
> > On Thu, 5 Mar 2020, Reza Tavakoli wrote:
> >
> > > Hello,
> > >
> > > I'm helping the Git for windows team and contributing in
> git-for-windows
> > > repository to help expand the OpenSSH support for fido2 devices on
> Windows.
> > > Currently we are using your internal implementation(sk-usbhic.c)
> however
> > > since Windows 10 version 1903 this requires administrator privileges.
> > >
> > > I'm trying to create a module for OpenSSH to use webauthn.dll instead
> of
> > > direct calling to libfido2 to eliminate the need for administrator
> > > privileges
> > > I noticed that in ssh-sk.c in function sshsk_sign you hash the input
> data
> > > before passing it to external module sk_sign function. The problem is,
> > > Windows API automatically hash the input before sending it to fido
> device,
> > > so I need to receive the data without hashing to be able to use this or
> > > else the data will be hashed two times and verification will fail.
> > >
> > > May I suggest that you do this part inside sk_sign command so the
> module
> > > using your sk-api.h interface can do this if it's needed?
> >
> > That sounds reasonable - do you have a patch you can share? We'd need to
> > increase the SSH_SK_VERSION_MAJOR, but we'll probably do that before the
> > next release anyway.
>
> Hi,
>
> I committed a change to move the hashing from ssh-sk.c to the middleware,
> bumping the expected middleware version along the way. Please take a look
> (commit 59d2de956e).
>
> -d
>


More information about the openssh-unix-dev mailing list