search

tetractic / SK-SSH-Agent

An SSH agent that supports using FIDO/U2F security keys with PuTTY and OpenSSH for Windows.
GNU General Public License v3.0
23 stars 1 forks source link

Add support for RS256 #4

Closed ghost closed 2 months ago

ghost commented 5 months ago

I have been using SK-SSH-Agent with PIN/biometrics instead of USB FIDO/U2F for while without any problem

Recently I recreate my PIN/biometrics of windows hello and it seems that windows start to use TPM2.0 hardware backed storage (confrim by running certutil -csp "Microsoft Passport Key Storage Provider" -key -v) instead of the old one.

Now when I try to genearte a new key in SK-SSH-Agent, Windows Hello do not allowing creating passkeys using PIN/biometrics, the only option is to use the USB FIDO/U2F security key which I do not have.

This does not only affect SK-SSH-Agent but also the browsers. I tried on https://webauthn.me/debugger# and find out that the new Windows hello with PIN/biometrics requires public-key to be RS256+ES256. if you request for ES256 only, it will not allow you to use PIN/biometrics anymore.

It would be nice to support RSASSA-PKCS1-v1_5_w_SHA256 keys, so that people can continue using PIN/biometrics instead of USB FIDO/U2F

carlreinke commented 2 months ago

I don't think this is possible without OpenSSH support (which appears unlikely) or bypassing the WebAuthn API and using the TPM directly, which I am not very interested in doing.