OpenBSD Journal

U2F support in OpenSSH HEAD

Contributed by rueda on from the more-than-a-token-effort dept.

In a message to the openssh-unix-dev mailing list, Damien Miller (djm@) wrote:

As of this morning, OpenSSH now has experimental U2F/FIDO support, with
U2F being added as a new key type ""
or "ecdsa-sk" for short (the "sk" stands for "security key").

If you're not familiar with U2F, this is an open standard for making
inexpensive hardware security tokens. These are easily the cheapest way
for users to get a hardware-backed keypair and there is a good range of
vendors who sell them including Yubico, Feitian, Thetis and Kensington.
Hardware-backed keys offer the benefit of being considerably more
difficult to steal - an attacker typically has to steal the physical
token (or at least persistent access to it) in order to steal the key.

See the full message for all the details.

Thank you Damien (djm@) and Darren (dtucker@) (OpenSSH-portable) for this important contribution to OpenSSH security.

(Comments are closed)

  1. By d.c. (d.c.) on

    Great work! A big thank you! So the libfido2 is comming to the base too?

    1. By brynet (Brynet) on

      No. The library is in ports, ssh in base will pick up if it's installed by the user.

      1. By brynet (Brynet) on

        This is no longer true, as the required libraries have been committed to base.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]