Support for FIDO2 Security Key algorithms

timfall
timfall
Community Member

The new SSH-agent is wonderful! However it could be even more wonderful-er (is that a word?) and solve a huge pain point with the native macOS ssh-agent, (which provides some useful password storage facilities via keychain), if it had support for one small addition. Something that has been supported in OpenSSL for some time.

Since 8.2p1 OpenSSL has supported FIDO security key based ssh-keys. "Discoverable" ("Resident") keys have been supported since 8.3. These can be generated with the same mechanisms as always, by simply using the ecdsa-sk or ed25519-sk for the equivalent algorithm. It's simple as pie and makes it very easy to setup and use security keys to secure ssh credentials. It even works directly with GitHub and more providers supporting it are on the way.

But...

It would seem that Apple has included a version of OpenSSL compiled with this ability turned off. Looking at the man pages for ssh and it's associated helpers would seem to indicate these key algorithms are supported like normal, but any attempt to use them results in errors. This effectively makes it impossible to use security keys with the convenience of the built in ssh-agent. The only alternatives being to use the "old" method of overloading PIV certificate functionality, or to substitute the system ssh-agent with the gpg-agent, both of which require significant work and come with large downsides.

It would be super awesome (SUPER AWESOME) if you could add support for these functions. I suspect it's simply a matter of accepting those algorithm types in text fields, perhaps checking to make sure the pin-entry dialog still works. For so little work it would be a major reason to switch over. If additional motivation is needed, my company is currently on the fence about a mass rollout of both password managers and security keys. Having this functionality would put 1Password head and shoulders above the other options.

I am of course also happy to contribute the code myself. Or test it, or whatever. It would just be super awesome! Did I say that already?


1Password Version: 8.7.0
Extension Version: Not Provided
OS Version: 12.3

Comments

  • ooglek
    ooglek
    Community Member

    I'm sad nobody has replied to you. So I'm replying.

    This. ^^^

    Though I feel like it is a little bit Apple's fault, and you could brew install openssl et voila! OK and do a few other things too...

This discussion has been closed.