https://bugzilla.mindrot.org/show_bug.cgi?id=3748
--- Comment #5 from [email protected] --- Ok, turns out the second issue with the server-side check was entirely my fault. We were hashing the challenge and it was also getting doubly base64 encoded. Once fixed the server-side check passes. The original problem with the client-side check however I think is a genuine issue. One way I found to get around this, besides disabling the check (https://github.com/openssh/openssh-portable/blob/88b35cbdc1500efece65cd6a9a20a72cf7e46eaa/authfd.c#L440-L442 ) entirely, is to just get the agent to return "[email protected]" as the format, but pass the full webauthn signature structure (https://github.com/openssh/openssh-portable/blob/bb52e70fa5330070ec9a23069c311d9e277bbd6f/PROTOCOL.u2f#L212). Then on the server side, just detect that it's a webauthn signature based on the structure, rather than the key type (by modifying the code here a bit: https://github.com/openssh/openssh-portable/blob/master/ssh-ecdsa-sk.c#L288). I guess that's probably not a viable fix for me to push upstream - just mentioning as a possible server-side solution, as in our case we have more control over the server-side deployment. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
