openssh 8.2p1 (with FIDO support)

[xanderlent]

This uses libfido2 to add FIDO support to OpenSSH.
This is arguably the most prominent feature in the 8.2 release.

• Have you followed the guidelines for contributing?
• Have you checked that there aren't other open pull requests for the same formula update/change?
• Have you built your formula locally with brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
• Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
• Does your build pass brew audit --strict <formula> (after doing brew install <formula>)?

---

This is a draft because I'm still working on the formulae for the dependencies, which are not yet upstream. See #50305 for libcbor and #50326 for libfido2. Deps are upstream. 🎉

Would the maintainers also prefer if we devised some sort of test for the FIDO/U2F functionality? It's difficult to test w/o a physical security key.

[gzm55]

can we build libcbor and libfido2 on the fly while building the openssh?

[SMillerDev]

You could but that doesn't have much benefit afaik

[gzm55]

You could but that doesn't have much benefit afaik

that can avoid depending on libfido2 and libcbor formula before they are accepted.

[SMillerDev]

If they can be separate formula, building inline isn't going to be accepted either.

[xanderlent]

Maintainers: Landing this patch before libfido2 is patched on Linux will also break this formula on Linux. I'll patch libfido2 once it lands in linuxbrew-core regardless. If you decide to wait, I'll also report back here when patching is done.

[zbeekman]

@xanderlent This looks ready to ship now that libfido2 was merged. Can we 🚢 this?

Also, are there instructions anywhere for using a FIDO key with openssh? I guess, presumably the sshd server is setup to support some sort of PAM module or challenge response?

[xanderlent]

To 🚢 or not to 🚢, that is the question:

@zbeekman On macOS, it's 100% ready to ship!

On Linux, merging this will break OpenSSH until Homebrew/linuxbrew-core#19684 is resolved, because libfido2 uses libudev on Linux (instead of IOKit on macOS) which is not something expressed here in upstream.

I can't say if "breaks Linux" is a blocker for homebrew-core, since that's an executive decision.

Using SSH with FIDO tokens

The short answer is that you'll need to make & distribute new security-key-backed SSH keys. I think you may also need an SSH server with support for these.

For full instructions, see the OpenSSH Release Notes for 8.2/8.2p1:
https://www.openssh.com/txt/release-8.2

RSA key users should make sure that they're using SHA-2 signatures. (My previous statement here was incorrect.)

[zbeekman]

@xanderlent thanks for the info!

Linuxbrew tests and merges on their own. So long as the test catches the problem there won’t be an issue.

As far as RSA goes I use ed25519 keys whenever possible.

[zbeekman]

LGTM

I think we can 🚢 this unless the test won’t catch the problems on Linux.

[lou-k]

Thanks for this, @xanderlent ! Very much appreciated.

FWIW, it looks like only ecdsa-sk are supported with the default build, ed25519-sk yields a Key enrollment failed: requested feature not supported error.

[gzm55]

if using yubikey, ed25519-sk requires new firmware 5.2.3

[xanderlent]

@lou-k Glad I could help. As mentioned in the upstream release notes, ecdsa is the only mandatory algorithm in the FIDO standards. If you want support for ed25519, you'll need to get a token that supports it.