From 6fe942a8f9f6b34fdac4cec274cc3ace2d0cee2c Mon Sep 17 00:00:00 2001 From: Valerio Bozzolan Date: Mon, 8 Jan 2024 19:07:34 +0100 Subject: [PATCH] Add support for FIDO2-backed SSH keys Summary: U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. These keys are available since OpenSSH 8.2 (2020-02-14). https://www.openssh.com/txt/release-8.2 https://security.stackexchange.com/q/240991/260234 Ref Q96 Test Plan: Check the added keys. They exactly match the output of the command 'ssh -Q key'. Reviewers: O1 Blessed Committers, antonia, avivey Reviewed By: O1 Blessed Committers, antonia, avivey Subscribers: avivey, tobiaswiese, Matthew, Cigaryno Differential Revision: https://we.phorge.it/D25508 --- src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php index d8660b1956..682cde0df6 100644 --- a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php +++ b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php @@ -55,11 +55,15 @@ final class PhabricatorAuthSSHPublicKey extends Phobject { list($type, $body, $comment) = $parts; + // The only goal is to prevent user error by nonsense input. + // This is just a meaningful subset from 'ssh -Q key'. $recognized_keys = array( 'ssh-dsa', 'ssh-dss', 'ssh-rsa', 'ssh-ed25519', + 'sk-ssh-ed25519@openssh.com', + 'sk-ecdsa-sha2-nistp256@openssh.com', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521',