Add support for FIDO2-backed SSH keys

Summary: U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. These keys are available since OpenSSH 8.2 (2020-02-14). https://www.openssh.com/txt/release-8.2 https://security.stackexchange.com/q/240991/260234 Ref Q96 Test Plan: Check the added keys. They exactly match the output of the command 'ssh -Q key'. Reviewers: O1 Blessed Committers, antonia, avivey Reviewed By: O1 Blessed Committers, antonia, avivey Subscribers: avivey, tobiaswiese, Matthew, Cigaryno Differential Revision: https://we.phorge.it/D25508
2024-11-10 00:42:41 +01:00 · 2024-01-08 19:07:34 +01:00 · 2024-01-08 19:07:34 +01:00 · 6fe942a8f9
commit 6fe942a8f9
parent d92ed9ce0c
1 changed files with 4 additions and 0 deletions
--- a/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php
+++ b/src/applications/auth/sshkey/PhabricatorAuthSSHPublicKey.php
@ -55,11 +55,15 @@ final class PhabricatorAuthSSHPublicKey extends Phobject {

    list($type, $body, $comment) = $parts;

+    // The only goal is to prevent user error by nonsense input.
+    // This is just a meaningful subset from 'ssh -Q key'.
    $recognized_keys = array(
      'ssh-dsa',
      'ssh-dss',
      'ssh-rsa',
      'ssh-ed25519',
+      'sk-ssh-ed25519@openssh.com',
+      'sk-ecdsa-sha2-nistp256@openssh.com',
      'ecdsa-sha2-nistp256',
      'ecdsa-sha2-nistp384',
      'ecdsa-sha2-nistp521',