PuTTY wish fido2

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Changes | Wishlist

summary: Support for U2F / FIDO2 security keys via 'sk-foo@openssh.com' public-key types
class: wish: This is a request for an enhancement.
difficulty: taxing: Needs external things we don't have (standards, users etc)
priority: low: We aren't sure whether to fix this or not.

OpenSSH supports the use of hardware tokens for two-factor authentication using the FIDO2 protocol. At the SSH layer this is achieved by adding extra public-key types called sk-ecdsa-sha2-nistp256@openssh.com and sk-ssh-ed25519@openssh.com (plus their certified versions in the usual way). The protocol is documented in the file PROTOCOL.u2f in the OpenSSH source distribution.

Of course, it would be useful for PuTTY to support this too, for users who need to log in to servers that only accept these key types, or users who merely consider this system a security benefit.

This bug is listed at Taxing difficulty, because there are two things we don't have, and would need in order to implement it:

Firstly, we don't know how to go about accessing a hardware token of this kind on Windows. At the time of writing this, we don't even know what type of API would be involved: something built in to Windows, or something that involves loading a driver DLL from the manufacturer of the specific token, or something even stranger.

(On Unix, OpenSSH's own source code is available to function as example code. But an implementation of this system in only Unix PuTTY would be very strange.)

Secondly, more obviously, we'd need some test hardware, in order to get the system working in the first place. And we'd need to keep it, to check it was still working in future releases.


If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2023-07-14 09:12:54 +0100)