Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Oh, wow, that does surprise me. I haven't gotten around to using FIDO for SSH but I didn't realize it works differently from WebAuthn.

Anyway, yes, I'm also comfortable with the default, I'm just pointing out why "don't SSH places you're not supposed to" isn't a relevant argument.



In WebAuthn the remote site is storing typically three facts about each non-resident WebAuthn credential for a user. It has a cookie (an opaque blob of fixed size, which it was given by the remote FIDO authenticator during enrollment - and it must play this back every time it wants you to authenticate) and a public key (which it will use to confirm your signatures during subsequent login to prove you still have the authenticator), and practicality it probably also stores a name or an icon or something so users can remember which of their credentials is which.

When you enroll your authenticator creates random credentials (made easier by using Elliptic Curve crypto so almost any random bits are a valid key unlike RSA) and then (unless you're using a much more expensive/ sophisticated device or a FIDO2 device in its resident credentials mode) it encrypts its own private key and delivers that as the cookie value. The remote server actually has your private key... but encrypted with a symmetric key that only exists inside your FIDO authenticator so it's actually safe.

OpenBSD's approach to using FIDO for SSH keeps this cookie element locally, not on the remote server. So the actual keys used will be constant across multiple servers and thus could be correlated to track you.

The other effect is that (again because that cookie is on your local client not the remote server like for WebAuthn) you can't use a cheap (non-resident enabled) FIDO authenticator from anywhere except the machine you used to enroll it. The authenticator plus a random (new enough) SSH client don't have enough information between them to get you in, they also need that cookie which is on, say, the laptop you left in a hotel room.

If that use case is essential for you, you can apparently use resident credentials. I haven't tried it, but a newer Yubico Security Key (with the numeral 2 printed on it to signify that it implements FIDO2) should be able to store everything, authenticated with a PIN, so then you can use a new enough SSH client plus that Security Key plus your PIN to log in from anywhere.

Alternatively if you have a cheaper FIDO device or choose not to use the resident mode of a newer one, this does have the effect that you can create different cookies from different laptops and then you can approve the resulting different keys for different purposes if that suits you. It could make sense to approve your company laptop's keys for checkin to corporate Git repos while the personal laptop has your GitHub keys while keeping just one FIDO key on your keychain throughout the day...

Edited to add: Residential credentials for SSH is apparently planned for OpenSSH 8.3, not OpenSSH 8.2 and so not available yet.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: