Download
We're evolving to serve you better! This current forum has transitioned to read-only mode. For new discussions, support, and engagement, we've moved to GitHub Discussions.

server auth: ssh-agent and WebAuthn support?

  • #8851
    Avatar photo[anonymous]

    Currently it is possible to specify an ssh key and even the decryption key for it as part of the sftp server configuration.
    In many cases it is better to not read the key directly, but consult an ssh-agent that manages your key. For example the openssh ssh-agent, commonly found on *nix systems and in WSL; or Pageant in the putty suite.

    The advantages are numerous: you can have the key decryption fit in with your system login, you can have multiple keys loaded, they can come from not just a file but from a forwarded pipe (remote desktop and X11 forwarding), and can be stored in some hardware tokens like a yubikey/titan/solokey/nitrokey/…
    (This would also tie in with potential git-over-ssh capability, as an alternative to tokens for gitlab/github or any other git service)

    Another, less concrete, potential idea is that WebAuthn tokens (like the aforementioned usb keys, but also on secure enclaves on phones) are growing as an auth method. This already applies to many web services (present USB/NFC device for login), thus it will probably be a handy feature sooner or later.
    One thing that comes to mind is good old webdav, secured by webauthn (owncloud/nextcloud already offer incredible experience there!)