OpenSSH support for FIDO RSA keys
James Bottomley
James.Bottomley at HansenPartnership.com
Thu Aug 26 04:26:40 AEST 2021
On Thu, 2021-08-19 at 11:25 +0200, Jan Schermer wrote:
> Hello,
> I would like to deploy FIDO for SSH. I wanted to leverage Windows
> Hello on Windows clients as FIDO backend (so that I don’t have to buy
> hw tokens for everyone and for convenience), but evidently my TPM
> flavor doesn’t support ECDSA, only RSA.
This likely means you have TPM 1.2
> Would it be possible to extend OpenSSH support to include “rsa-sk”
> keys?
>
> Not sure what the process is, but could development of it be
> sponsored?
The FIDO standard requires ECDSA keys (mainly, I suspect, because some
of the space constraints in the protocol are too small for RSA) so I
don't believe, even if you hacked the standard to support RSA keys,
that it would work in practice.
I'd strongly suggest you find a TPM 2.0 system, or simply use a FIDO
token via a non-TPM emulator to get ECDSA keys.
James
More information about the openssh-unix-dev
mailing list