Closed codingllama closed 2 years ago
Related work: https://github.com/gravitational/teleport/issues/9160
I've now landed enough PRs in master that I think we can call this done. I expect that there will be refinements to be done when we get people trying it out, but the overall implementation is there. :tada:
What
Add libfido2 support for
tsh
.libfido2 implements both CTAP1 and CTAP2 protocols, allowing us to better leverage the server-side Webauthn implementation. It seems to be the outstanding (only?) client-side implementation for CTAP2.
It supports Linux, macOS and Windows, among others.
This doesn't include Touch ID support - that is a different can of worms.
How
libfido2, unfortunately, is only available as a native library, which causes a few complications for
tsh
. Go bindings are available via the github.com/keys-pub/go-libfido2 package.A draft implementation would work as follows:
Also note that libfido2 has its own set of dependencies: libcbor, OpenSSL 1.1+, zlib and libudev (Linux only). Our audience is fairly technical, in particular for
tsh
, so maybe installing a few packages is not much of an issue, but that remains as a discussion point.Why
This gives us:
tsh
in the platformWorkaround
We don't necessarily need libfido2, what we actually want is CTAP2 support for
tsh
(it's just that the list of options seem dim). Some research in this area might do us good, there may be something I missed in my initial combing for libraries.CTAP1 works perfectly fine for the moment - I'm not aware of any CTAP2-exclusive authenticators. It does limit our options in terms of Webauthn features, though, and might become a limitation in the future.