DEVHIDE
Login Or Sign up

Can the OpenSSH FIDO2 ssh key attestation data be used verify the key resides only a FIDO2 token (e.g. Yubikey)?

278 Views Asked by At

OpenSSH >=8.2 allows the use of FIDO2 authentication and the ssh-keygen command allows the creation of resident keys on FIDO2 tokens (such as a Yubikey). There is also the option of outputting attestation data during key generation with the write-attestation option. E.g.

ssh-keygen -t ed25519-sk -O resident -O write-attestation=id_ed25519-Yubikey.attest -O application=ssh:id_ed25519-Yubikey -f id_ed25519-Yubikey

Two questions:

  1. What is the format of the attestation file that is created by OpenSSH?

  2. Can the attestation data be used to verify the corresponding ssh public key was generated on a FIDO2 token, and hence only resides as a resident key on the Yubikey/FIDO2 token?

ssh openssh webauthn ssh-keygen fido
Original Q&A
2

There are 2 best solutions below

0
psanford On

The format is documented here:

Attestation information is useful for out-of-band key and certificate
registration workflows, e.g. proving to a CA that a key is backed
by trusted hardware before it will issue a certificate. To support this
case, OpenSSH optionally allows retaining the attestation information
at the time of key generation. It will take the following format:

    string      "ssh-sk-attest-v01"
    string      attestation certificate
    string      enrollment signature
    string      authenticator data (CBOR encoded)
    uint32      reserved flags
    string      reserved string

I don't believe that this can be used directly by an openssh server today. However you could use this in conjunction with an ssh certificate-authority to only issue certificates to keys that have proven they were generated on a certain fido2 device.

0
joostd On

You can use something like this quick&dirty script: https://gist.github.com/joostd/ed790ade9ddd4b711af6c1b80eaed7ca

$ openssl rand 32 > challenge.bin
$ ssh-keygen -t ${KEYTYPE} -f ./id -N "" -O challenge=challenge.bin -O write-attestation=attestation.bin
...
$ curl -sL https://mds3.fidoalliance.org/ > mds.jwt
$ ./ssh-sk-attest.py --mds mds.jwt  
✅ valid attestation for hardware authenticator (ee882879-721c-4913-9775-3dfcce97072a): YubiKey 5 Series

Related Questions in SSH

Related Questions in OPENSSH

Related Questions in WEBAUTHN

Related Questions in SSH-KEYGEN

Related Questions in FIDO

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.