Webauthn signatures working in the wild, and client-agent support

Carlos Cabanero carlos at blink.sh
Tue Sep 20 06:33:29 AEST 2022


Hey everyone!

We just added support (maybe a first?) for Webauthn keys in Blink.
Everything seems to be working great except in one scenario, using
them with our agent. You can see a quick demo here:
https://twitter.com/BlinkShell/status/1570427813819486212?s=20&t=2GNv08ro2zyBcI14DK4tIA

The implementation is making use of Passkeys and Secure Keys with
Webauthn support. I think the interesting part is how easy creating
and using keys like this is, and maybe future use cases would showcase
more possibilities for Webauthn keys.

This is all based on Damien Miller’s test projects (thanks a lot!) but
as mentioned, the Client-Agent (at sshconnect2.c) will not accept
webauthn-sk signatures at the moment. The setup is that we use our
Agent to forward a key to the remote. Then when trying to sign with
this key, the SSH Client is expecting a sk-ecdsa signature type, but
our agent can only provide a webauthn-sk-ecdsa type.

The issue seems to be that the sign_and_send_pubkey will expect a
sk-ecdsa signature in all cases, and not a webauthn-sk-ecdsa. We have
been reading the code to see if we could bend things somehow, but it
looks like everywhere that a transform from key to signature-algorithm
happens, will always result in the sk-ecdsa type. We also tried
different flags for Accepted Pubkeys, disabling sk-ecdsa, trying to
set webauthn-sk type at the top, all with no luck. On the SSHD side
when logging in, this is not an issue as both are accommodated during
validation.

Are we missing something that could make things work? Is there
anything from our side that we could do to try things out or to
support this scenario?

Tons of thanks for any guidance!!


More information about the openssh-unix-dev mailing list