When using openssh with a u2f key, you generate a key via:
ssh-keygen -t ecdsa-sk
Each time you run it, it gives a different key pair. (Randomly seeming).
A differently generated key pair is not valid with the first's public key.
All good so far, but you run into a problem if:
You generate a keypair (A).
You register your public key for (A) on a bunch of ssh servers.
You take your fido2 key to a second client machine and try and login to your servers.
It kind of defeats the purpose of being able to have a portable keyfob.
If there was a way to seed the generation phase manually, then the same seed can be used on each client machine so that the ssh pub/private key doesn't have to be transferred along with the u2f keyfob?
Thanks,
Kevin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
ssh-keygen -t ecdsa-sk
Each time you run it, it gives a different key pair. (Randomly seeming).
A differently generated key pair is not valid with the first's public key.
All good so far, but you run into a problem if:
You generate a keypair (A).
You register your public key for (A) on a bunch of ssh servers.
You take your fido2 key to a second client machine and try and login to your servers.
It kind of defeats the purpose of being able to have a portable keyfob.
If there was a way to seed the generation phase manually, then the same seed can be used on each client machine so that the ssh pub/private key doesn't have to be transferred along with the u2f keyfob?
Thanks,
Kevin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev