From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtpout2.vodafonemail.de (smtpout2.vodafonemail.de [145.253.239.133]) by sourceware.org (Postfix) with ESMTPS id 51BD23858411 for ; Sun, 21 Nov 2021 10:01:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 51BD23858411 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=nexgo.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=nexgo.de Received: from smtp.vodafone.de (unknown [10.2.0.37]) by smtpout2.vodafonemail.de (Postfix) with ESMTP id 3D05061334 for ; Sun, 21 Nov 2021 11:01:48 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nexgo.de; s=vfde-smtpout-mb-15sep; t=1637488908; bh=ynNJBxvveRCLF9a/MVoMVVABr23VttqZ8k5mAEyRvKw=; h=From:To:Subject:Date; b=jqQegZk5uqrGr3YH3zSSzciCxgqVTJzc3SUnvQiYoJte/eRZAXpSOW5XuRgI2Mgkb ExQf4JZSE7QcnfsY9XZDyt4pfhjRFw8WkYXdNM8e/wtjUUaG7SUAepiqvmCF/B4Lkx EnLhtzOru8TDneCieedGnZ4lyf8+5CQ9zojH3phc= Received: from Gertrud (p54a0cb96.dip0.t-ipconnect.de [84.160.203.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp.vodafone.de (Postfix) with ESMTPSA id 4HxmCH4xRdzJmjV for ; Sun, 21 Nov 2021 10:01:47 +0000 (UTC) From: Achim Gratz To: cygwin-apps@cygwin.com Subject: [ATTN MAINTAINER] openssh Date: Sun, 21 Nov 2021 11:01:46 +0100 Message-ID: <874k85yghh.fsf@Rainer.invalid> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-purgate-type: clean X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de X-purgate: This mail is considered clean (visit http://www.eleven.de for further information) X-purgate: clean X-purgate-size: 2057 X-purgate-ID: 149169::1637488907-00001452-B01359C7/0/0 X-Spam-Status: No, score=-3030.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: cygwin-apps@cygwin.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Cygwin package maintainer discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Nov 2021 10:01:52 -0000 Here are my fixes to make transparent WebAuthn through libfido2 work w/ OpenSSH. This is required for Win10 from release 1909; the access to USB-HID is since restricted to users with administrative privileges: https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/playground.git;a=shortlog;h=refs/heads/openssh The changes switch to a newer API available from libfido2 that is required for WebAuthn support (which needs the unhashed data instead of the SH256 like the actual FIDO2-Token), make that protocol the preferred one (so that WebAuthn is always used when available w/o being dependent on the order of the device enumeration) and lastly prevent some extra (optional) PIN prompts from WinHello that do not happen when using the USB-HID interface either. The PIN patches were inspired by an OpensSSH-portable fork that seems to be maintened by some folks who also work on libfido, although they seem to have missed a few spots and I opted for slightly different patches. The use of the new API is properly wired into the configury. Unfortunately libfido2 does not provide a way to determine if WebAuthn support has been compiled in (the one exposed function is a predicate that always returns false on builds that do not use WebAuthn), so I'm currently using a heuristic that eventually should be replaced by a configure option. Also, it would probably be a good idea to decide at runtime whether to use WebAuthn or not (maybe via an environment or config variable). These patches work for 32bit also and I believe they are correct, but that build should not be made available due to a bug in libfido2 that crashes when trying to free the memory associated with the WebAuthn payload returned. Without these patches applied you can still use the fallback to USB-HID when you are an administrator. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for KORG EX-800 and Poly-800MkII V0.9: http://Synth.Stromeko.net/Downloads.html#KorgSDada