1

OpenSSH >=8.2 allows the use of FIDO2 authentication and the ssh-keygen command allows the creation of resident keys on FIDO2 tokens (such as a Yubikey). There is also the option of outputting attestation data during key generation with the write-attestation option. E.g.

ssh-keygen -t ed25519-sk -O resident -O write-attestation=id_ed25519-Yubikey.attest -O application=ssh:id_ed25519-Yubikey -f id_ed25519-Yubikey

Two questions:

  1. What is the format of the attestation file that is created by OpenSSH?

  2. Can the attestation data be used to verify the corresponding ssh public key was generated on a FIDO2 token, and hence only resides as a resident key on the Yubikey/FIDO2 token?

cloud_hack
  • 65
  • 1
  • 6

1 Answers1

1

The format is documented here:

Attestation information is useful for out-of-band key and certificate
registration workflows, e.g. proving to a CA that a key is backed
by trusted hardware before it will issue a certificate. To support this
case, OpenSSH optionally allows retaining the attestation information
at the time of key generation. It will take the following format:

    string      "ssh-sk-attest-v01"
    string      attestation certificate
    string      enrollment signature
    string      authenticator data (CBOR encoded)
    uint32      reserved flags
    string      reserved string

I don't believe that this can be used directly by an openssh server today. However you could use this in conjunction with an ssh certificate-authority to only issue certificates to keys that have proven they were generated on a certain fido2 device.

psanford
  • 5,580
  • 1
  • 26
  • 25