SoftU2F-Win
openssh-sk-winhello
SoftU2F-Win | openssh-sk-winhello | |
---|---|---|
1 | 7 | |
64 | 183 | |
- | - | |
3.3 | 0.0 | |
4 months ago | almost 2 years ago | |
C | C | |
The Unlicense | GNU Lesser General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
SoftU2F-Win
-
On-device WebAuthn and what makes it hard to do well
It's been a few years, but the main references I remember using:
1. Windows: https://github.com/frankmorgner/vsmartcard/tree/master/virtu..., which is a fix-up of the older https://www.codeproject.com/Articles/134010/An-UMDF-Driver-f..., and https://github.com/Watfaq/SoftU2F-Win/tree/master/SoftU2FDri.... Note that neither of these actually implement CTAP2.
2. Linux: There's plenty to refer to on HID gadgets, but https://blog.hansenpartnership.com/webauthn-in-linux-with-a-... and the code at https://git.kernel.org/pub/scm/linux/kernel/git/jejb/fido2-c... were my entrypoint.
3. Mac: I ended up not implementing a Mac version, but GitHub themselves used to support a CTAP1/U2F software authenticator, now archived at https://github.com/github/SoftU2F. I was going to work from that.
For the service I looked at different software "devices" interfacing with these kinds of drivers (or just the browser directly in Firefox's case).
1. Generic NIST SP 800-73 PIV: https://github.com/CCob/PIVert. Very limited scope, pentest tool with no extraneous features. It uses the BixVReader driver.
openssh-sk-winhello
-
Use TouchID to Authenticate Sudo on macOS
For Windows, it seems it's possible[0, see footnote], however there are problems like general incompatibilities [1], and official support status is " We have this in our backlog. At this point it's not prioritized.".
0: https://github.com/tavrez/openssh-sk-winhello
0.footnote: "Windows Hello also supports other types of authenticators like internal TPM device(if they support generating ECDSA or Ed25519 keys, they can be used instead of FIDO/U2F security keys)."
1: https://github.com/tavrez/openssh-sk-winhello/issues
2: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...
-
Hardening SSH
Awesome article! Also found this tool (tavrez/OpenSsh-sk-winhello) for windows that lets you do this without admin access
-
[QUESTION] Is there a best way to manage multiple SSH on multiple Yubikeys?
Which is also how they are generated when retrieving them on a new computer via ssh-keygen -K since I used the application=ssh:yubikey_5 flag when first generating them. So something like ssh-keygen -t ed25519-sk -O resident -O application=ssh:yubikey_5c, but because I am on Windows I also had the -w winhello.dll flag (In case anyone stumbles on this question)
-
Using Yubikey FIDO with ssh-agent on macOS?
This is what i used but YMMV https://github.com/tavrez/openssh-sk-winhello/releases/tag/v2.0.0
-
Tell HN: GitHub no longer supporting unauthenticated `git://`
> Because AFAIK, (Fido) yubikey support is still missing.
Correct, hopefully Microsoft will provide an updated SSH client soon. It only requires recompiling OpenSSH with the correct flags.
Alternatively, use these build instruction for openssh with FIDO for windows:
https://gist.github.com/martelletto/6a7cf806c6433ac9ce71d66a...
> Using either the PKCS#11 support or the gpg applet requires some extra piece of software
For those wanting to do that, here are some ways:
Using a premade dll:
https://github-wiki-see.page/m/mooltipass/minible/wiki/Setti...
Or with a middleware:
https://github.com/mgbowen/windows-fido-bridge
Using the Hello API:
https://github.com/tavrez/openssh-sk-winhello
Given how many people came with their own ways, I believe there's enough demand for Microsoft to fix that.
- Unable to generate ssh sk keys on Windows 10
-
How often should I rotate my SSH keys?
My knowledge of WebAuthn is limited but their invocation of the relevant API seems like it should work for fingerprints also.
[1] https://github.com/tavrez/openssh-sk-winhello
What are some alternatives?
virtual-fido - A Virtual FIDO2 USB Device
libfido2 - Provides library functionality for FIDO2, including communication with a device over USB or NFC.
SoftU2F - Software U2F authenticator for macOS
windows-fido-bridge - An OpenSSH SK middleware that allows you to use a FIDO/U2F security key (e.g. a YubiKey) to SSH into a remote server from WSL or Cygwin.
tpm-fido - A WebAuthn/U2F token protected by a TPM (Go/Linux)
wsl2-ssh-pageant - bridge between windows pageant and wsl2
softfido - A software FIDO2/U2F authenticator
secretive - Store SSH keys in the Secure Enclave
vsmartcard - umbrella project for emulation of smart card readers or smart cards
sekey - Use Touch ID / Secure Enclave for SSH Authentication!
Win32-OpenSSH - Win32 port of OpenSSH
bless - Repository for BLESS, an SSH Certificate Authority that runs as a AWS Lambda function