U2F support in OpenSSH HEAD
by from OpenBSD Journal on (#4TJYA)
In amessageto the openssh-unix-dev mailing list,Damien Miller (djm@) wrote:
["]As of this morning, OpenSSH now has experimental U2F/FIDO support, withU2F being added as a new key type "sk-ecdsa-sha2-nistp256@openssh.com"or "ecdsa-sk" for short (the "sk" stands for "security key").If you're not familiar with U2F, this is an open standard for makinginexpensive hardware security tokens. These are easily the cheapest wayfor users to get a hardware-backed keypair and there is a good range ofvendors who sell them including Yubico, Feitian, Thetis and Kensington.Hardware-backed keys offer the benefit of being considerably moredifficult to steal - an attacker typically has to steal the physicaltoken (or at least persistent access to it) in order to steal the key.["]
See thefull messagefor all the details.
Thank you Damien (djm@) and Darren (dtucker@) (OpenSSH-portable) for this important contribution to OpenSSH security.