Use FIDO2 key as SSH host key?
-
[email protected]replied to [email protected] last edited by
You don't want FIDO2 security tokens for that, use an OpenPGP applet (works with some Yubikeys and with many programmable smartcards)
-
[email protected]replied to [email protected] last edited by
FYI I got it working, please see the update above.
-
[email protected]replied to [email protected] last edited by
I am familiar with these alternatives. My experiment was specific in wanting FIDO2 and I ended up figuring out the issue. It was the intersection of a couple of weird behaviours that made debugging very confusing, but it works exactly as I expected it would once those are resolved. I guess we can consider this a proof of concept that you can indeed use FIDO2 tokens as an external SSH host key (though as I said below whether this is practically useful is another matter entirely).
-
[email protected]replied to [email protected] last edited by
That's awesome!
-
[email protected]replied to [email protected] last edited by
Unfortunately, I think you're going to run into trouble because fido authenticators are geared towards working as user authenticators rather than as device authenticators.
It certainly should be possible from a technical perspective, but implementation-wise, it's very likely that the code focuses on making fido devices work with client keys, and using tpms for host keys, since that's much more focused on headless server functionality.Oval peg in a round hole.
-
[email protected]replied to [email protected] last edited by
Your workaround is precisely why I said "more practical". Any updates to your tooling might break it because it's not an expected usecase
-
[email protected]replied to [email protected] last edited by
Looks like this happened:
OpenSSH server has had built-in support for WebAuthn keys since 8.2.
-
[email protected]replied to [email protected] last edited by
Been using this for a while - yubico has a nice guide. Dunno why you struggled to find good info as i can just google «fifo2 ssh» and use the top link
-
[email protected]replied to [email protected] last edited by
Nah - storing cryptographic key pairs is a supported and valid use-case for fido2
-
[email protected]replied to [email protected] last edited by
It wasn't the crypto key pair part I was referring to, it was the part where fido is geared towards interactive user auth, not non-interactive storage.
It wouldn't have surprised me if the ssh devs hadn't put implementing fido support for host keys high in the development list, or that it was tricky to find documentation for. Using something like a tpm is the more typical method.There's no technical reason it can't work, and the op got it to work so clearly the implementation supports it, but that doesn't mean it's the most expected setup, which means it might have unexpected gaps in functionality or terrible documentation.
-
[email protected]replied to [email protected] last edited by
Yeah - i mistook it for user keys, not host. Im guessing they used piv/smart-card and not fido, as fido is indeed made with interactive use in mind