-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIDO Resident Keys #353
Comments
I think the issue is not resident keys as as far as I can see ALL FIDO2 keys on MP are resident (something which I would love not to be the case), but rather the fact that the MP uses internal UV, without fallback to clientPIN (as in, a PIN you literally enter on PC). basically similar to biometric keys which can use fingerprints in lieu of a clientPIN, but equally fall back to that clientpin if either
the FIDO client within openSSH does not seem to deal with internal UV yet, at least the one I have here. Resident Keys in general work fine for example on a Website that asks for them (I have a sandbox for that) |
Update: after running it with verbose it is clear what's going on:
TLDR the credProtect feature is apparently something openSSH asks for which the MP does not have set as active yet (although considering the way the MP handles UV it's always active |
Yes, @My1 is correct. We do not support CredProtect at this time. As far as I remember that takes some considerable work to enable (several dependencies). |
Yeah i guess. I mean implicitly this device already has credential protection (as it's literally impossible to read anything without it being unlocked) but credprotect is iirc part of ctap2.1 for the first time and ctap2.1 brings along several requirements, some of which (iirc hmac says hello) are also issues here Although maybe a title change of the issue would be nice. |
I would love to see the Mooltipass BLE support resident keys fully (the more open source projects that can do so the better). I ran across this AMAZING description of how to get these working with OpenSSH 8.3+ and it might be helpful for other scenarios as well. |
as mentioned resident keys in itself fully works. credprotect is a much newer feature which came on CTAP2.1 (and also devices that went ahead and implemented the pre version), while the MP is basically running CTAP2.0 with ALL keys being resident in fact. this is the same as if you took an older yubikey 5 which was before all the ctap2.1 stuff, it certainly has resident keys but would be too old to have credprotect. credprotect is not a part of resident keys, it's its own thing. maybe someone could re-label the issue for example into:
although this is kinda part of a bigger thing as the current CTAP2.1 spec mandates basically that having one of the major 2.1 features mandates setting the 2.1 flag, and setting the 2.1 flag on the other hand mandates having the other big things too.
|
Missing feature
When trying to provision a resident key the device says its unsupported.
Justification
My usecase is ssh-keygen's ed25519-sk keys. Because that works with normal ssh-agent.
I do not want to use any custom agent because that precludes usage of other keybearer devices.
I do not want to use the non resident fido keys either because that requires moving auxiliary files around.
Workarounds
None
The text was updated successfully, but these errors were encountered: