|
|
|
|
|
|
by archi42
1485 days ago
|
|
|
> This should work on other FIDO keys like Google's Titan, but we don't have access to one over here and as such haven't tested it. For my trusty HyperFIDO Mini (usb id 0x2ccf:0x0880) this doesn't work, though it's rather old (1st gen) and maybe they refreshed it to support this. ssh-keygen fails with "Key enrollment failed: requested feature not supported". I wanted to replace it with a USB-C (& maybe NFC) device anyway, so seems like a good opportunity. |
|
|
For WebAuthn this enables "usernameless" login. You rock up to a random PC anywhere in the world, go to example.com, just click "Sign in", and your authenticator is like, "Hi example.com, according to my records I am archi42, user 123456-ACBDE-123 and as proof here's a signature made with my unique private key" and the site checks its database and signs you in. Convenient and fairly secure (most devices with such a feature expect a PIN, or a fingerprint, or some such factor beyond "something you have" in the form of the authenticator itself).
For SSH, this means the magic file that makes SSH with FIDO work can be regenerated on another client machine by just asking it to spit out the credentials.
Chances are your device does not have this feature, usernameless login on the web is rare, so few people need this, and of course it's a considerable extra hardware implementation burden. Yubico products have it though, as do some others, and the phone implementations (iPhone, newer Android) likewise.
If you mostly use the same machines (laptop, maybe a desktop) for SSH, the resident feature isn't important, just don't write "-O resident" and remember that although they aren't a security feature the resulting files are unique and if you don't have them you can't log in. If you regularly use different machines for SSH login because you're say, a roaming technician logging in to physical hardware on site or you insist on travelling very light, then it's very valuable and worth upgrading to get the resident feature.