Question about webauthn signatures?

Jordan J jordandev678 at gmail.com
Wed May 12 18:49:45 AEST 2021


> That's true of FIDO web authentication. What we implemented in SSH
> (ab-)uses the FIDO spec to fit SSH's existing publickey user
> authentication, because users and lots of tooling is built around that.
>
> This unfortunately precluded the use of server-side keys, as there is no
> mechanism for the server to communicate key handles to the client.
>
> I do have vague plans to do a more web-like FIDO authentication method
> for OpenSSH in the future, but haven't got around to it yet.
>

FWIW after taking on board the discussion from this previously I did
go off and implement a proof-of-concept for this via ssh-extensions.
If the client and server understood the extension you get to use
server-side keys otherwise it fell back to the current implementation.
Seemed to work fine. I'd planned to spend some of early June turning
it from a proof-of-concept into something more review suitable to
bring back here for people to have a go with.


More information about the openssh-unix-dev mailing list