OpenSSH support with Platform Authenticator

122 views
Skip to first unread message

Y X

unread,
Mar 22, 2023, 4:03:29 PM3/22/23
to FIDO Dev (fido-dev)
Hello All,

We are trying to explore securing SSH login to remote server with FIDO2. OpenSSH started to support FIDO key since 8.2 (https://www.openssh.com/txt/release-8.2), but it seems like there is no support for Platform Authenticator. 

Would like if there is any way to use SSH with Platform Authenticator? Or if there any other recommended way to access server with FIDO2?

Any suggestion welcome. Thanks in advance.

My1

unread,
Mar 22, 2023, 4:11:30 PM3/22/23
to Y X, FIDO Dev (fido-dev)
If i am not wrong the only major difference between platform and roaming authenticators are how common key types are and attestation types, right? So in theory if your platform authenticator plays ecdsa or ed25519 the sk things should work for the server, as without attestation one possibly couldn't even distinguish between platform or roaming. 


the bigger question is the client tho, THAT has to support platform authenticators. If Windows by now supports modern key types for platform and the ssh client on windows works with fido2, as fido generally goes through win hello on windows there's a good chance that platform keys can already work or could with minimal effort. 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0163d589-0124-4a3f-8fef-d006b1b9075en%40fidoalliance.org.

Arshad Noor

unread,
Mar 22, 2023, 4:27:45 PM3/22/23
to fido...@fidoalliance.org
While SSH and FIDO leverage public-key cryptography, they are two
different authentication protocols. Both however, support the use of the
Trusted Platform Module (TPM) (which FIDO calls a Platform Authenticator).

https://duckduckgo.com/?t=ftsa&q=openssh+%2Btpm&ia=web

Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0163d589-0124-4a3f-8fef-d006b1b9075en%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0163d589-0124-4a3f-8fef-d006b1b9075en%40fidoalliance.org?utm_medium=email&utm_source=footer>.

Y X

unread,
Mar 22, 2023, 4:31:46 PM3/22/23
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Y X
Yeah you are right. I should've be more specific, we want to make it work on Mac with touchID, so users could SSH from their Mac to remote server with touchID. 

The default SSH installed on Mac does not support sk yet, so we have to use the brew-installed openssh, but even with that, it seems like it only supports USB key not the touchID.

Tim Cappalli

unread,
Mar 22, 2023, 4:37:10 PM3/22/23
to Y X, FIDO Dev (fido-dev), My1
The protocols support it, but it is not natively implemented on either desktop OS.

To use a TPM/SE protected SSH key, you can use a virtual smart card on Windows or a 3P SSH agent on macOS.

tim
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Y X <ying...@gmail.com>
Sent: Wednesday, March 22, 2023 16:31
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Cc: My1 <teamhyd...@gmail.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>; Y X <ying...@gmail.com>
Subject: Re: [FIDO-DEV] OpenSSH support with Platform Authenticator
 

My1

unread,
Mar 22, 2023, 5:10:50 PM3/22/23
to Arshad Noor, fido...@fidoalliance.org
@Arshad Noor 
sure the protocol interactions, like signature format etc between "Normal" SSH keys and FIDO are different, but SSH has for a good while by now implemented the so-called *-sk keys like ecdsa-sk and ed25519-sk, which specifically are for use of ECDSA and Ed25519-based FIDO Devices.

Regards

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c2b36e95-2a96-49e1-6cb3-d7ceec3c3eb9%40strongkey.com.

John Bradley

unread,
Mar 22, 2023, 6:29:58 PM3/22/23
to My1, Arshad Noor, fido...@fidoalliance.org
On Windows ssh with libFido2 supports platform authenticators.   It has been tested using RSA keys.  Yubico worked with Microsoft to get that working.   The official Microsoft ssh for windows supports it but you need the latest version so need to download it.  It will eventually ship by default from my understanding. 

If and when Apple releases an API that libFido2 can use like WebAuthn.dll on windows it will be possible for us to add support on MacOS.  

It is the underlying API to access the platform authenticator that is the issue.  

Regards. 

Sent from my iPhone

On Mar 22, 2023, at 6:10 PM, My1 <teamhyd...@gmail.com> wrote:



Y X

unread,
Mar 23, 2023, 12:45:12 PM3/23/23
to FIDO Dev (fido-dev), John Bradley, Arshad Noor, fido...@fidoalliance.org, My1
Thanks everyone for the great insights. For MacOS currently, is there any 3rd-party SSH agent recommended?

Best,

Tim Cappalli

unread,
Mar 23, 2023, 12:59:09 PM3/23/23
to Y X, FIDO Dev (fido-dev), John Bradley, Arshad Noor, My1
Not formal recommendation or endorsement, but I personally use Secure Agent.

SSH Config Editor also has a built-in agent.
Sent: Thursday, March 23, 2023 12:45

To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>

Subject: Re: [FIDO-DEV] OpenSSH support with Platform Authenticator
Reply all
Reply to author
Forward
0 new messages