Open prusnak opened 4 years ago
AFAIK, the credential management in CTAP is not documented anywhere. However, from looking at the libfido2 code, it should be pretty easy to figure out. I already have a general idea of how it works:
Looks like there are several subcommands to the GetInfo command: CRED_METADATA = 0x01 RP_BEGIN = 0x02 RP_NEXT = 0x03 RK_BEGIN = 0x04 RK_NEXT = 0x05 DELETE_CRED = 0x06
The RK_BEGIN subcommand has one parameter: 1: RP ID hash
The DELETE_CRED subcommand has one parameter: 1: Credential ID
Other subcommands don't have a parameter.
CRED_METADATA response: 1: Total number of resident credentials currently present on the authenticator. 2: Number of remaining resident credentials which can be created.
RP_BEGIN / RP_NEXT response: 3: PublicKeyCredentialRpEntity (map with keys "id" and "name") 4: rp_id_hash (bytes) 5: Number of relying parties (RP_BEGIN only)
RK_BEGIN / RK_NEXT response: 6: PublicKeyCredentialUserEntity (map with keys "name", "displayName", "id") 7: PublicKeyCredentialDescriptors (map with key "id") 8: COSE Public Key (map with "alg", "crv" etc.) 9: Number of resident keys for the requested RP (RK_BEGIN only)
Hello, is there any decision already made on this topic? If so, any eta?
Thank you
Another version of the CTAP proposal is out: https://fidoalliance.org/specs/fido-v2.1-rd-20201208/fido-client-to-authenticator-protocol-v2.1-rd-20201208.html#authenticatorCredentialManagement. It's still in draft form, but I think this particular part of the specification if fairly stable by now and we can think about implementing it.
@zejdlikt, you can still used OpenSSH without this feature, the only trouble is if you are using multiple machines, then you need each one to have a copy of the "secret key" file in ~/.ssh/ (when using FIDO2 I think it doesn't actually contain any secret if I recall correctly, just metadata about the credential). Personally I am under the impression that this is a shortcoming of the design decisions around the OpenSSH implementation, because the credential management extension shouldn't be required for logging in with resident credentials, but I don't see deep enough into their implementation and design rationale to give justified criticism.
Anyway, I will look into how difficult this would be to implement.
@zejdlikt, you can still used OpenSSH without this feature, the only trouble is if you are using multiple machines, then you need each one to have a copy of the "secret key" file in ~/.ssh/ (when using FIDO2 I think it doesn't actually contain any secret if I recall correctly, just metadata about the credential). Personally I am under the impression that this is a shortcoming of the design decisions around the OpenSSH implementation, because the credential management extension shouldn't be required for logging in with resident credentials, but I don't see deep enough into their implementation and design rationale to give justified criticism.
Yes i know about the "workaround" there considering copying metadata in ~/.ssh/
- and of course it works (tested with TrezorT/Yubikey). Anyway, the idea of having just a usb key with me traveling around the world and being able to login to my servers from any other server w/o cp
or scp
anything additional is a nice idea. So i would say, it would be very "nice to have" (if possible).
Is there any update on this issue? Thanks!
No progress has been done on this.
In order to fully support resident keys with OpenSSH we need to implement credential management extension
Let's evaluate whether this is something we want to do.