Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ecdsa-sk and ed25519-sk support #37

Open
git-tec opened this issue Jul 20, 2023 · 8 comments
Open

ecdsa-sk and ed25519-sk support #37

git-tec opened this issue Jul 20, 2023 · 8 comments

Comments

@git-tec
Copy link

git-tec commented Jul 20, 2023

First of all great work you did here.

Is there any way to support you so that support for ecdsa-sk, ed25519-sk will be integrated in the future?
@masahide
Copy link
Owner

It seems that the SSH package in Golang may support SK keys. I would like to test if it's possible when I have some time.
https://github.com/search?q=repo%3Agolang%2Fcrypto%20SKED25519&type=code

@git-tec
Copy link
Author

git-tec commented Aug 4, 2023

Is there any news on this topic yet?

@masahide
Copy link
Owner

masahide commented Aug 5, 2023

I am currently investigating how to use the SK key. The following is the progress of the check and TODO.

  • The golang crypto/ssh library defines the structure for the SK key, but it doesn't seem to have an interface ready to use the SK key.
  • OpenSSH uses the libfido2 library. How to use it from go?
    FIDO authenticator has several options.

TODO:

@masahide
Copy link
Owner

You might be able to use ssh-sk-helper to your advantage.

https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

Using FIDO2 Keys with Windows Subsystem for Linux (WSL) on Windows

In addition to a native SSH client, the Windows OpenSSH beta release also contains an SSH_SK_HELPER that can be used to bridge the host’s FIDO2 support to WSL. All of this configuration must be done from inside the WSL environment, and relies on the Windows environment to be working correctly.

@masahide
Copy link
Owner

https://www.reddit.com/r/yubikey/comments/11bot5f/minimum_requirements_for_notouchrequired_ssh/

It seems there are various challenges in using the no-touch-required option to enable key usage without touching. The YubiKey5 I have on hand doesn't work well with Openssh v9.2.2.0p1-Beta.

@git-tec
Copy link
Author

git-tec commented Aug 21, 2023

Basically I think the no-touch feature makes little sense with Yubikeys, then I can create a key and put it on an encrypted drive and only mount it when needed. The "more" security is then simply moot.

@ztmzzz ztmzzz mentioned this issue Mar 3, 2024
Open
@ztmzzz
Copy link

ztmzzz commented Mar 27, 2024

Hello, I got the ed25519-sk to work without changing the SSH library. You might find some ideas in go-ssh-sk-example.

@masahide
Copy link
Owner

@ztmzzz
Thanks for the ed25519-sk tip and the go-ssh-sk-example! Really appreciate it. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@masahide @ztmzzz @git-tec