https://bugzilla.mindrot.org/show_bug.cgi?id=3498 Damien Miller <djm@mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org
--- Comment #1 from Damien Miller <djm@mindrot.org> ---
It sounds like you're after something like Passkeys
(
https://fidoalliance.org/passkeys/) - I have no idea whether these
will work with OpenSSH or whether modifications will be required.
Putting Passkeys aside, there is no trivial way to do what what you
want. Private keys are fundamentally device-linked in the FIDO model,
so you could no longer rely on their notion of keys directly.
It might be possible to rig something up using the FIDO2 hmac-secret
extension
(
https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-client-to-authenticator-protocol-v2.0-rd-20180702.html#sctn-hmac-secret-extension),
which can let you exchange a key handle for a durable symmetric key.
Maybe it would be possible to rig up some multi-key encryption scheme
that uses these keys to decrypt the actual private key material.
However, it isn't clear whether this would yield a more convenient
workflow than managing separate FIDO keys. Also, you'd be giving up
most of the benefit of hardware tokens as the actual key material would
be decrypted on the host and not the token.
Another non-FIDO approach would be to buy FIDO keys that also support
PIV or some other standard that allows key access via PKCS#11, and load
the same key onto multiple tokens (rather than having the token
generate the keys). This gets you proper hardware backing for the keys
(so long as you didn't leak it when generating and loading it), but you
would be dealing it the messiness of PKCS#11...
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs