janmojzis / tinyssh

TinySSH is small server (less than 100000 words of code)
Creative Commons Zero v1.0 Universal
1.43k stars 78 forks source link

implementation of sk-ssh-ed25519@openssh.com #87

Open jo-bitsch opened 6 months ago

jo-bitsch commented 6 months ago

This provides an initial version of security key support in tinyssh.

The main change is a new file sshcrypto_key_sk_ed25519.c, which adds the relevant functions for parsing and putting public keys and signatures, as well as the sk_ed25519_open function, that performs the signature check using the existing crypto_sign_ed25519_open for the cryptographic operation.

I had to update a few places, where the code did not distinguish between server side and client side crypto algorithms, as the server cannot create a keypair or perform a signing operation, as it doesn't have a fido key available.

Limitations:

There are tests for the thew file sshcrypto_key_sk_ed25519.c. In addition I performed manual end-to-end tests, to confirm that authentication with ed25519 and sk-ssh-ed25519@openssh.com is successful:

$ tcpserver -HRDl0 0.0.0.0 2022 build/bin/tinysshd -v /tmp/tinyssh
tinysshd: NSYeEscO: info: connection from 127.0.0.1:56422 {main_tinysshd.c:124}
tinysshd: NSYeEscO: info: auth: test-user: sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIPATlJjmvz5UIxr//xq7scplfrR1Ua7DrcRi7KC8XDEmAAAABHNzaDo= accepted {packet_auth.c:170}
tinysshd: NSYeEscO: info: finished {main_tinysshd.c:304}
tinysshd: ZLVpp8o1: info: connection from 127.0.0.1:37656 {main_tinysshd.c:124}
tinysshd: ZLVpp8o1: info: auth: test-user: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPtHsl99hUBZ9FhISxY2xvV0OIfY4g8DlMx0HQJZke4d accepted {packet_auth.c:170}
tinysshd: ZLVpp8o1: info: finished {main_tinysshd.c:304}
^C