Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for platform authenticator (TPM)? #9

Closed
zviratko opened this issue Jun 1, 2021 · 3 comments
Closed

Support for platform authenticator (TPM)? #9

zviratko opened this issue Jun 1, 2021 · 3 comments

Comments

@zviratko
Copy link

zviratko commented Jun 1, 2021
edited

Hi,
I'm working on a PoC with FIDO tokens for SSH keys and I would like to (also) use the built-in Windows Hello FIDO token. However the only option I am given is to insert a security key. Is this a known limitation?

If I had to guess

  1. maybe everything needs to be signed correctly to get access to the platform authenticator
    or
  2. might be related to your mention of WebAuthNIsUserVerifyingPlatformAuthenticatorAvailable in ChangeLog
    or
    something completely different :-)

Thanks

P.S. are you aware of a way to actually check the attestation data? Looks like OpenSSH does it a bit different from regular WebauthN workflow, in particular there is no clientData in there...
@tavrez
Copy link
Owner

tavrez commented Jun 1, 2021

Hello,
OpenSSH only supports ecdsa and ed25519 so I've passed those as the only supported options to Windows Hello. But most of the built-in TPM chips does not support ecdsa and/or ed25519(most of them support RSASSA_PKCS1, which is cose algorithm -257).

are you aware of a way to actually check the attestation data? Looks like OpenSSH does it a bit different from regular WebauthN workflow, in particular there is no clientData in there.

Newer versions of OpenSSH added authenticator data when you save the attestation data, check protocol.u2f for more info about them(check ssh-sk-attest-v01 format)

@zviratko
Copy link
Author

zviratko commented Jun 1, 2021

Ouch. Would be perfect for OpenSSH to add "rsa-sk" support then. Not sure where to bug them, though.

Yeah, I've seen them add authData, but AFAIK that's not sufficient to verify the attestation. It's true that my starting point was mangling WebauthN tools, but everything I read indicates that clientData is part of the signed data (not necesarilly part of what the authenticator returns, though). It's absolutely possible I am wrong, though, neither me nor my colleagues who tried are fluent in cryptography... :)

@tavrez
Copy link
Owner

tavrez commented Jun 7, 2021

Would be perfect for OpenSSH to add "rsa-sk" support then.
Their aim is to support security keys like yubikey, since those keys do not support rsa, they probably won't implement such option.

About clientData, I'm not sure because I did a simple verification for test long time ago, maybe this guide could help.

@tavrez tavrez closed this as completed Jun 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zviratko @tavrez