Contributed by rueda on from the more-than-a-token-effort dept.
In a
message
to the openssh-unix-dev mailing list,
Damien Miller (djm@
) wrote:
[…] As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "sk-ecdsa-sha2-nistp256@openssh.com" or "ecdsa-sk" for short (the "sk" stands for "security key"). If you're not familiar with U2F, this is an open standard for making inexpensive hardware security tokens. These are easily the cheapest way for users to get a hardware-backed keypair and there is a good range of vendors who sell them including Yubico, Feitian, Thetis and Kensington. Hardware-backed keys offer the benefit of being considerably more difficult to steal - an attacker typically has to steal the physical token (or at least persistent access to it) in order to steal the key. […]
See the full message for all the details.
Thank you Damien (djm@
) and Darren (dtucker@
) (OpenSSH-portable) for this important contribution to OpenSSH security.
(Comments are closed)
By d.c. (d.c.) on
Great work! A big thank you! So the libfido2 is comming to the base too?
Comments
By brynet (Brynet) on https://brynet.biz.tm/
No. The library is in ports, ssh in base will pick up if it's installed by the user.
https://www.mail-archive.com/ports-changes@openbsd.org/msg105299.html
https://marc.info/?l=openssh-unix-dev&m=157259802529972&w=2
Comments
By brynet (Brynet) on https://brynet.biz.tm/
This is no longer true, as the required libraries have been committed to base.
https://marc.info/?l=openbsd-tech&m=157376801917387&w=2