Add OpenSSH 8.2

[SR-Lut3t1um]

As OpenSSH 8.2 adds support for FIDO sticks I'd like to test this feature in order to improve security.

Kind regards,
Tobias Liese

[beerisgood]

Please provide this in Windows

[jmyreen]

I would prefer bringing the Windows version on par with the original. There are features that have been silently left unimplemented, but the documentation refers to the original manual pages. I think at least some other version numbering scheme should be used so that users wouldn't be misled to think the Windows version of "OpenSSH 8.1" is OpenSSH 8.1, because it is not.

#1554
PowerShell/openssh-portable#362

[NoMoreFood]

@bagajjal Are you working this yet? If not, I could probably take a look.

[bagajjal]

@NoMoreFood - Thanks for your helping hand as always.
I will look into this mid next week.

[SR-Lut3t1um]

@bagajjal any news on this topic?

[bagajjal]

I am busy in getting the OpenSSH V8.1.0.0 to next windows release.
I will work on this next week.

[beerisgood]

I am busy in getting the OpenSSH V8.1.0.0 to next windows release.
I will work on this next week.

Why not 8.2 ?

[bagajjal]

It has to be tested for a while.. 8.2 is very new..

[beerisgood]

It has to be tested for a while.. 8.2 is very new..

But also include great security features (FIDO)
As Windows support such, it only would make sense you use that logic to SSH too.

In my opinion we shouldn't stay behind releases.

[WSLUser]

In my opinion we shouldn't stay behind releases.

True but all that's doing is showing just how much is left unimplemented in Windows compared to Linux. The porting process is not finished. Unfortunately the Powershell team is small and has to handle multiple projects, of which this one is of minor priority to them unfortunately. That just means outside contributors are needed to more heavily influence this project for the betterment of everyone.

[tavrez]

git for windows made OpenSSH 8.2 available for Windows(with FIDO support).
I've also created a module for OpenSSH 8.2 to make FIDO usage through Windows Hello API, you can see it in https://github.com/tavrez/openssh-sk-winhello

[jmyreen]

git for windows made OpenSSH 8.2 available for Windows(with FIDO support).

Great. Any progress on PowerShell/openssh-portable#362 ?

[gorbi13G]

exists there windows compiled version of openssh 8.2 with FIDO support please? ( i want to use Trezor device for ssh-agent )

[tavrez]

exists there windows compiled version of openssh 8.2 with FIDO support please? ( i want to use Trezor device for ssh-agent )

gitforwindows.org

[gorbi13G]

gitforwindows.org is the project which offers windows compiled openssh 8.2 with FIDO support ? can you be please more specific, is it the top secure project? :-)

[WSLUser]

Git for Windows provides the Cygwin binary for Openssh. Win32-OpenSSH is the better solution to implementing SSH but it is still missing features as noted in this issue.

[bagajjal]

I am working on OpenSSH v8.2.
I have v8.2 ready without FIDO support.

I will work on enabling FIDO related code next week. I am shuffling between two projects, not getting enough time to work on this.

[jmyreen]

Please don't forget #1548 . FIDO support is not a replacement for PIV and other smart card uses. PKCS#11 support in the SSH agent has been a documented feature long before OpenSSH 8.2, but it is broken in the Windows version. My understanding is that a fix for this has been waiting to be merged for years already.

[tavrez]

Will you gonna do this with libfido2 just like how OpenSSH did? That will requires administrator privileges to access to keys
I've implemented this using webauthn.dll just like browsers

[bagajjal]

@NoMoreFood - Just realized that openssh has released v8.3. I am quite busy with my other project. If you are free then could you please enable the FIDO support. Please clone my v8.2 branch. This branch is validated without FIDO support. FIDO code is hidden behind ENABLED_SK, ENABLE_SK_INTERNAL preprocessor flags. Thank you for your continuous support.

[tavrez]

I can help to integrate Windows Hello to it.

[NoMoreFood]

@tavrez If you want to take on the lot of it, go for it. I'm a bit preoccupied with the day job.

[WSLUser]

Can we get a status of progress on this? At this point, we should be releasing v8.3 even without FIDO support if necessary. That can always be added later. It's better to at least stay up to date with code to reduce vulns and bugs. Also update LibreSSL and other dependencies as part of this.

[denniskniep]

Hi,
are there any plans when 8.2 will be available?

[bagajjal]

I will work on upgrading to V8.4 starting next week. Planning for a github release V8.4 next month, Feb 2021.

[musm]

I can help to integrate Windows Hello to it.

If you use KeePass this is extremely convenient: https://github.com/sirAndros/KeePassWinHello

[denniskniep]

@bagajjal That sounds great, thank you!
Do you think the release is build with FIDO support?

[bagajjal]

@denniskniep - I want to follow phased approach.. First release without FIDO support to get speed with upstream..
Later will work on adding FIDO..

please note FIDO uses third party library and we need to make code changes in win32-openssh repo to compile on windows.. This is a feature work that needs more time.

[denniskniep]

@bagajjal Any progress regarding this ticket?

[fantesykikachu]

Just a note, Openssh made the support for FIDO keys extensible (with "SecurityKeyProvider" config), and while the default "internal" backend uses libfido2, in the long term it might be a good idea to create a new backend that uses window native API for accessing FIDO devices.

[tavrez]

@fantesykikachu As I said before when this project reaches to that step I'll port my library(openssh-sk-winhello - FIDO access through Windows Hello) into it, although the Windows Hello APIs lacks all the functions required by OpenSSH)