On Thu, Apr 20, 2017 at 08:04:34AM -0400, Marc Boorshtein wrote: > Has anyone looked into using U2F with freeipa? My guess is you would need > a customized ssh client to interact with the device but in theory you could > just transform the users U2F public key into an ssh key. > > Marc Boorshtein > CTO, Tremolo Security, Inc.
Hi Marc, We have had preliminary discussion about U2F. As you suggest, U2F requires client support. U2F does not provide a general signing operation (it only signs a specific kind of message[1]) so some server support is probably required as well. [1] https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success That said, a lot of U2F devices have additional / alternative modes with PKCS #11 interfaces, e.g. PIV, allowing them to be used as generic crypto tokens. Thanks, Fraser -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project