DEF CON Forum Site Header Art


No announcement yet.

SSH clients with FIDO2 support for hardware based security tokens and sk-ecdsa

  • Filter
  • Time
  • Show
Clear All
new posts

  • SSH clients with FIDO2 support for hardware based security tokens and sk-ecdsa

    Since version 8.2, OpenSSH Supports FIDO2 for ssh, which allows for a kind of split key with a private component on a security token (like YubiKey) "sk-ecdsa" "SSH SK" "SSH Security Key"

    This appears to work fairly well on servers and client which are new enough, but it is not well supported in many other clients.

    What other SSH/SFTP/SCP Clients have you found which support FIDO2 and hardware based "Security Keys"?

    Disadvantages of FIDO2 on Yubikey 5:
    * You can choose ECDSA-SK or ED25519-SK, but both of these have static cipher-selections which as of March 16, 2022 are limited in ssh-keygen. From the man page for where you can usually specify a number of "bits" to use for each key type:
    Originally posted by man page ssh-keygen
    -b bits Specifies the number of bits in the key to create. For RSA keys, the minimum size is 1024 bits and the default is 3072 bits. Generally, 3072 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the -b flag will be ignored.
    This means, you can't choose P-384 (NISTP384,secp384*,prime384*, etc) or P521 as you cipher for ECDSA when using these SK options.
    It looks like the default for ECDSA is P-256/NISTP256. The other two choices (according to fido2-cred) are ED25519 and non ECC RSA2048, but nothing else.

    As of March 12, 2022:
    * OpenSSH 8.2 supports FIDO2 with OpenSSH client/Server:
    * putty-cac (a *fork* of putty (windows ssh, scfp, etc)) has FIDO2 in a feature request started Jun 17, 2020 with notice on Mar 6, 2022 indicating a future attempt to see what would be required
    * Terminus ssh client (mobile, desktop) has a question asking users about interest in FIDO2 support, but no comment on when, asked on Jan 2022:
    * Krypton akr for Mac OS X, and some Linux, but seems obsolete for purpose of SSH SK if modern OpenSSH supports SSH SK:
    * "TermBot" and Android app claimed to be based on ConnectBot, claims support for FIDO2, but appears to have a small number of users (only 104 reviews, 10k downloads, claimed release May 7, 2018, last update May 24, 2021, by "heylogin GmbH")):
    * AsyncSSH / python appears to support FIDO2:

    # This discussion is about FIDO2:
    * I am aware of being able to build 4096 bit RSA GPG keys on YubiKey (or import to YubiKey) and then rely on gpg-agent ( or on windows ) to relay ssh auth to other tools like putty instead of using putty's "pagent", but this is not FIDO2 support and is closer to middleware than ssh clients with FIDO2 support. I also see that it is possible to use "NIST P-521" for the 3 yubikey openpgp stored keys plus public key which seems to work.
    * I am also aware of PIV support for RSA 2048 bit keys for use with ssh, but this is not FIDO2 support, and no support for RSA 4096 bit keys. There appears to be PIV support for "ECCP384" (equivalent to P-384 / secp384 / nistp384 / prime384) too, which would likely be "better" than RSA2048, but either requires middleware like opensc and special clients that can use certs: FIDO2 eliminates that middleware. Less complexity is better.

    Unrelated to ssh, it looks like MS has/had plans to integrate FIDO2 support into MS Windows:
    * announced support for Security Keys with FIDO2 May 10, 2021:
    * has support for Security Keys with FIDO2:
    Last edited by number6; March 17, 2022, 06:40.