Question about webauthn signatures?
Tyson Whitehead
twhitehead at gmail.com
Thu May 6 06:21:39 AEST 2021
I see the PROTOCOL.u2f file defines a webauthn signature type
string "webauthn-sk-ecdsa-sha2-nistp256 at openssh.com"
string ecdsa_signature
byte flags
uint32 counter
string origin
string clientData
string extensions
and it is also listed as supported by my OpenSSH client and sever
$ ssh -V
OpenSSH_8.5p1, OpenSSL 1.1.1k 25 Mar 2021
$ ssh -Q sigs
...
webauthn-sk-ecdsa-sha2-nistp256 at openssh.com
$ ssh -v localhost
...
debug1: kex_input_ext_info: server-sig-algs=<...,webauthn-sk-ecdsa-sha2-nistp256 at openssh.com>
I am very curious what this is for and am hoping someone could elaborate in case it might be useful to us? If I try and limit my connection to it, it seems to imply there should be some corresponding key type
$ ssh -v -o PubkeyAcceptedAlgorithms=webauthn-sk-ecdsa-sha2-nistp256 at openssh.com localhost
...
debug1: Skipping sk-ecdsa-sha2-nistp256 at openssh.com key /home/tyson/.ssh/id_ecdsa_sk - corresponding algo not in PubkeyAcceptedAlgorithms
...
Is there anything that currently uses it? Is it to support ssh client running on a server and proxing back the challenge to user via a web-browser? Part of certificates somehow?
Thanks! -Tyson
More information about the openssh-unix-dev
mailing list