Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Would love to see FIDO2 / Webauthn in SSH. Working with PKI tokens for key auth works but has to be set up in the client.


As I understand it using FIDO (including FIDO2) for SSH requires some pretty heavy lifting at the protocol layer.

FIDO tokens only want to do two things: Provide you with a cookie and a public key, then later as often as necessary take a cookie and give you proof they still know the associated private key. Very narrowly conceived, on purpose.

SSH public key auth has the client start by proposing "OK, I can prove I know key X" and then the server either says "Fine, do that then" or "No, what else do you have?". An out of box OpenSSH server decides which to do by examining the ~/.ssh/authorized_keys file. A FIDO token needs the _server_ to begin by saying "OK, here's a cookie, can you prove you know the corresponding private key?" so that it can get the cookie, otherwise it can't prove anything.


You should take a look at https://github.com/gravitational/teleport

Disclaimer: I'm one of the contributors.


Sure, it would be nice. But fortunately you can use yubikeys to store keypairs that can be used with ssh. And https://github.com/Yubico/yubico-pam can probably be used with SSH.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: