Announcement

Collapse
No announcement yet.

OpenSSH 8.4 Brings Better Support For FIDO/2FA Keys

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenSSH 8.4 Brings Better Support For FIDO/2FA Keys

    Phoronix: OpenSSH 8.4 Brings Better Support For FIDO/2FA Keys

    Version 8.4 of OpenSSH has been released and among its wide assortment of changes is a lot of continued work on FIDO/2FA key handling...

    http://www.phoronix.com/scan.php?pag...H-8.4-Released

  • #2
    But does these FIDO/2FA keys work to login to GNOME using GDM (GNOME Display Manager)?
    Can FIDA/2FA be used together with GNOME Seahorse (keyring)?

    It seem to be supported with Firefox and Chrome.

    web browser compatibility support html css svg html5 css3 opera chrome firefox safari internet explorer

    Comment


    • #3
      Originally posted by uid313 View Post
      But does these FIDO/2FA keys work to login to GNOME using GDM (GNOME Display Manager)?
      Yes, in at least some use cases (there are instructions floating around on various (including FIDO hardware vendor) sites on how to set up pam do so).

      Things get a bit complicated due to the history of the terms. U2F (which was subsumed into FIDO after the alliance was created) can be used a a second factor by storing secrets (in a couple of variants). FIDO2 is an evolution of the protocol to move towards entirely passwordless login, and CTAP and WebAuthn are W3C standards to enable FIDO to be used on the web (and is shown in your picture as to what browsers support the protocol at this time). In most cases the term FIDO is used generically, but there are some features that require a FIDO2 solution. In order to ensure the secrets are actually secure FIDO can be implemented in a physical (usually USB) key with a dedicated security processor (NXP and Infineon are well known vendors of such chips) and in some cases on certain mobile devices (which are running the processing inside the trusted enclave which is the equivalent of the dedicated security processor). In addition a number of the hardware key vendors support additional capabilities to store secrets and implement cryptographic operations (storing a gpg key is a common usage which can be used for ssh or code signing).

      IRT this article, OpenSSH now provides (more) direct access to some of the FIDO capabilities rather than the historical gpg-agent capabilities, which means it can use FIDO directly to enhance authentication, including additional attestation (some FIDO keys require biometrics (such as fingerprints) rather than just physical device to be present).

      FWIW, Microsoft has fully integrated FIDO2 into their entire Azure AD login sequence, you just plug in the key, and touch (fingerprint as required) and you are logged in. That type of seamless login is certainly desirable across all systems, although Linux is not there yet.
      Last edited by CommunityMember; 28 September 2020, 12:20 PM.

      Comment


      • #4
        Originally posted by uid313 View Post
        It seem to be supported with Firefox and Chrome.
        Do e.g. banks provide a USB dongle to their customers? (is the smartcard form-factor supported too?)

        asking about the social aspect and real world use rather than technical.
        Some people in some countries are forced to use a google play application on a phone with locked bootloader, which is fairly evil.
        Also if you're using a dongle maybe they don't have to force a google captcha on you, either.
        This gets all the more important if you have to deal with government services and taxes. (if you lose your dongle, you get it revoked like a SIM card and the older one becomes a dummy?)
        Should we write law proposals such that FLOSS users can login to government and health sites with suitable 2FA methods?

        Comment


        • #5
          Originally posted by CommunityMember View Post
          FWIW, Microsoft has fully integrated FIDO2 into their entire Azure AD login sequence, you just plug in the key, and touch (fingerprint as required) and you are logged in. That type of seamless login is certainly desirable across all systems, although Linux is not there yet.
          I do think that the core essentials for "FIDO 2 on Linux" are there. That being this OpensSH release.
          Next would be someone brave enough to make a PAM module to support it (or modify an existing one to add support that way).
          Then "all that's left" is to let the login managers (SDDM, but other too) play nice with PAM. SDDM should be capable btw.

          Those 3 lines of text that it just wrote are probably weeks of development time with 8 hours/day. And then it would still be a happy day implementation.
          If some devs would just like to do this...

          Note, in my ideal scenario you can use your phone's fingerprint sensor to login to your linux desktop. But that adds a whole bunch of layers of complexity.

          Btw. Thank you very much for your very educational reply! That's much appreciated!

          Comment

          Working...
          X