New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for platform authenticator (TPM)? #9
Comments
Hello,
Newer versions of OpenSSH added authenticator data when you save the attestation data, check protocol.u2f for more info about them(check ssh-sk-attest-v01 format) |
Ouch. Would be perfect for OpenSSH to add "rsa-sk" support then. Not sure where to bug them, though. Yeah, I've seen them add authData, but AFAIK that's not sufficient to verify the attestation. It's true that my starting point was mangling WebauthN tools, but everything I read indicates that clientData is part of the signed data (not necesarilly part of what the authenticator returns, though). It's absolutely possible I am wrong, though, neither me nor my colleagues who tried are fluent in cryptography... :) |
About clientData, I'm not sure because I did a simple verification for test long time ago, maybe this guide could help. |
Hi,
I'm working on a PoC with FIDO tokens for SSH keys and I would like to (also) use the built-in Windows Hello FIDO token. However the only option I am given is to insert a security key. Is this a known limitation?
If I had to guess
or
or
something completely different :-)
Thanks
P.S. are you aware of a way to actually check the attestation data? Looks like OpenSSH does it a bit different from regular WebauthN workflow, in particular there is no clientData in there...
The text was updated successfully, but these errors were encountered: