[Freeipa-users] U2F and ipa for ssh
Fraser Tweedale
ftweedal at redhat.com
Fri Apr 21 01:26:10 UTC 2017
On Thu, Apr 20, 2017 at 08:04:34AM -0400, Marc Boorshtein wrote:
> Has anyone looked into using U2F with freeipa? My guess is you would need
> a customized ssh client to interact with the device but in theory you could
> just transform the users U2F public key into an ssh key.
>
> Marc Boorshtein
> CTO, Tremolo Security, Inc.
Hi Marc,
We have had preliminary discussion about U2F.
As you suggest, U2F requires client support. U2F does not provide a
general signing operation (it only signs a specific kind of
message[1]) so some server support is probably required as well.
[1] https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success
That said, a lot of U2F devices have additional / alternative modes
with PKCS #11 interfaces, e.g. PIV, allowing them to be used as
generic crypto tokens.
Thanks,
Fraser
More information about the Freeipa-users
mailing list