Contributed by rueda on from the more-than-a-token-effort dept.
to the openssh-unix-dev mailing list,
Damien Miller (
[…] As of this morning, OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "email@example.com" or "ecdsa-sk" for short (the "sk" stands for "security key"). If you're not familiar with U2F, this is an open standard for making inexpensive hardware security tokens. These are easily the cheapest way for users to get a hardware-backed keypair and there is a good range of vendors who sell them including Yubico, Feitian, Thetis and Kensington. Hardware-backed keys offer the benefit of being considerably more difficult to steal - an attacker typically has to steal the physical token (or at least persistent access to it) in order to steal the key. […]
See the full message for all the details.
Thank you Damien (
djm@) and Darren (
dtucker@) (OpenSSH-portable) for this important contribution to OpenSSH security.
(Comments are closed)