Mailing List Archive

Fido2 and Fingerprint scan vs touch
I’m evaluating the new Yubikey Bio keys and there’s some issues I don’t quite understand regarding presense touch and actual finger print verification.

If I load the resident key (i.e. ssh-add -K), things seem to work as expected and the wrong finger print results in dropping down to another authentication method.

If I don’t use ssh-add -K, then it seems ssh only verifies presense. I basically want to enforce proper fingerprint recognition always. Is there a way to do this?

Thank you
-jeremy
Re: Fido2 and Fingerprint scan vs touch [ In reply to ]
On Sun, 10 Oct 2021, Jeremy Hansen wrote:

> I’m evaluating the new Yubikey Bio keys and there’s some issues I
> don’t quite understand regarding presense touch and actual finger
> print verification.
>
> If I load the resident key (i.e. ssh-add -K), things seem to work
> as expected and the wrong finger print results in dropping down to
> another authentication method.
>
> If I don’t use ssh-add -K, then it seems ssh only verifies presense.
> I basically want to enforce proper fingerprint recognition always. Is
> there a way to do this?

Yes, you need to specify -Overify-required on the ssh-keygen command-
line when generating the key.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Fido2 and Fingerprint scan vs touch [ In reply to ]
Yes, I did precisely this. This is how I generated my key:

ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_yubico

Does the verify-required in this case only function if you’re using resident keys? I guess that would make sense but this assumes the user is using ssh-add -K. Basically I don’t want a user to be able to gain access unless they verify with a fingerprint from the security key. No other options should be available to get around verifying with a valid fingerprint from the sk. If someone loses a key and it’s found, I want it to be useless unless someone chops off my finger.

Thanks!
-jeremy

> On Sunday, Oct 10, 2021 at 8:18 PM, Damien Miller <djm@mindrot.org (mailto:djm@mindrot.org)> wrote:
> On Sun, 10 Oct 2021, Jeremy Hansen wrote:
>
> > I’m evaluating the new Yubikey Bio keys and there’s some issues I
> > don’t quite understand regarding presense touch and actual finger
> > print verification.
> >
> > If I load the resident key (i.e. ssh-add -K), things seem to work
> > as expected and the wrong finger print results in dropping down to
> > another authentication method.
> >
> > If I don’t use ssh-add -K, then it seems ssh only verifies presense.
> > I basically want to enforce proper fingerprint recognition always. Is
> > there a way to do this?
>
> Yes, you need to specify -Overify-required on the ssh-keygen command-
> line when generating the key.
>
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Fido2 and Fingerprint scan vs touch [ In reply to ]
On Sun, 10 Oct 2021, Jeremy Hansen wrote:

> [29D47EC3B2713CA8C4D5C6ED2F759D39_77C7A61CC2EBEA004F2B6E158E046CC9.png] Yes,
> I did precisely this.  This is how I generated my key:
>
> ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_yubico
>
> Does the verify-required in this case only function if you’re using resident
> keys?  I guess that would make sense but this assumes the user is using
> ssh-add -K.  Basically I don’t want a user to be able to gain access unless
> they verify with a fingerprint from the security key.  No other options
> should be available to get around verifying with a valid fingerprint from
> the sk.  If someone loses a key and it’s found, I want it to be useless
> unless someone chops off my finger.

Fist, there's actually a bug in ssh that causes it to prompt for PIN
unconditionally (see below)

Second, AFAIK biometrics and PIN does through the same "UV" (user-
verified) path in FIDO authenticators, so a PIN may be used as a
substitute for a fingerprint. AFAIK whether this happens is up to
the token itself.

Index: sshconnect2.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshconnect2.c,v
retrieving revision 1.351
diff -u -p -r1.351 sshconnect2.c
--- sshconnect2.c 23 Jul 2021 05:24:02 -0000 1.351
+++ sshconnect2.c 11 Oct 2021 04:45:18 -0000
@@ -1256,7 +1256,7 @@ identity_sign(struct identity *id, u_cha
}
sign_key = prv;
if (sshkey_is_sk(sign_key)) {
- if ((sign_key->sk_flags &
+ if (retried && (sign_key->sk_flags &
SSH_SK_USER_VERIFICATION_REQD)) {
retry_pin:
xasprintf(&prompt, "Enter PIN for %s key %s: ",
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Fido2 and Fingerprint scan vs touch [ In reply to ]
On Sun, Oct 10, 2021 at 7:52 PM Jeremy Hansen <jeremy@skidrow.la> wrote:
>
> I’m evaluating the new Yubikey Bio keys and there’s some issues I don’t quite understand regarding presense touch and actual finger print verification.

Don't put too much confidence in those. There have been only
incremental improvements in fingerprint sensors in the last 20 years,
and infamous "gummi finger" paper is still valid. See
https://cryptome.org/gummy.htm, or the mythbusters episode, or test
your sensor yourself with printed fingerprints.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev