Hi hackers, Would others be interested in adding support for FIDO2 as a new SASL authentication mechanism?
As a macOS user, FIDO2 has become very convenient since the release of macOS Tahoe in September 2025, that added built-in support for Secure Enclave-backed SSH keys [1] [2]. The key pair is generated on the Security Enclave and the private key cannot be exported, so even if your computer is compromised, you can be quite confident that they at least couldn't steal your private keys. When logging in, you have to touch the TouchID for the Security Enclave to sign the challenge. I really love how this scores very high on both security and convenience. So, I think it would be nice if authenticating to PostgreSQL via psql could be made equally secure and convenient, by simply reusing the same OpenSSH hardware-backed FIDO2 SSH keys, copying the key string from ~/.ssh/authorized_keys, and register it with your PostgreSQL role. This would of course also work with hardware keys, such as Yubikey. Example: ALTER ROLE joel ADD CREDENTIAL macos '[email protected] AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBOG0NTN8AqegdlKrGTuddOFt0G4ANYzwkBtjSS0zCWCB1IuJisW41qBQ/JSGWjJp1B7OXD52AwfyB4sbUs1Kqg0AAAAEc3NoOg=='; Add "fido2" to pg_hba.conf: hostssl all all 0.0.0.0/0 fido2 hostssl all all ::/0 fido2 You would need to load the resident keys from the FIDO2 authenticator, once per bootup: % ssh-add -K Enter PIN for authenticator: Resident identity added: ECDSA-SK SHA256:6/FvVcfzjLTt27bieSk5UpsPFYvGGkL5njORDz1JmM8 You would then specify the sk-provider when connecting via psql: % PGSKPROVIDER=/usr/lib/ssh-keychain.dylib psql The server sends a random challenge, the user is prompted to touch the TouchID, the client's security key then signs it, and the server verifies the signature. I have some experience of FIDO2/WebAuthn in the application layer, and would be willing to try to draft a patch on this, given there is enough interest in this. /Joel [1] https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb4acf [2] https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041451.html
