[feature request] Enable openssh fido/u2f support

[tavrez]

Is it too soon to ask for this?
libfido2 is available on windows so I think enabling openssh fido support with --with-security-key-builtin will work

[PhilipOakley]

@tavrez Is this something you could checkout/debug using the SDK, then a simple PR if it works for you (i.e. then wrap it into the installer).

As Git-for-Windows is open source your contribution would be welcomed (with the usual quality caveats ;-).

[dscho]

What @PhilipOakley said.

@tavrez you can start by downloading Git for Windows' SDK, running the installer, then sdk cd openssh and see whether the minimal change you suggested in the PKGBUILD makes sdk build work.

[cw789]

I've tried now to build OpenSSH with --with-security-key-builtin with the sdk build - it works.

But that change alone is not enough to use OpenSSH with FIDO/U2F support on Windows.
You'll still need libfido2 on the system.

I'm not aware which libfido2 I could use then.
The Windows one or probably one build for msys2 or mingw ...

[dscho]

I'm not aware which libfido2 I could use then.
The Windows one or probably one build for msys2 or mingw ...

Our OpenSSH build is an MSYS one, so you will need the MSYS version of libfido2. There does not seem to be any at the moment, though: https://github.com/msys2/MSYS2-packages/find/master/.

[cw789]

Thanks Johannes, that's what I was afraid of.

I was thinking about to prepare my first pull request.
But that won't make sense as libfdo2 is not available.

& I'm the wrong for bringing libfido2 to MSYS. Not my terrain.

[tavrez]

Can we just compile it(libfido2 and libcbor) natively and put it inside mingw packages? I mean @cw789 did you test with any of builds?

[cw789]

No I didn't try that.

[dscho]

Can we just compile it

@tavrez sure, by our guest. Download the Git for Windows SDK, then sdk cd MSYS-packages and have a look around for a library that might be similar to libfido2, then copy-edit its PKGBUILD into a new subdirectory libfido2. You should be able to build the package via sdk build libfido2 after that. It may take a couple of cycles until the PKGBUILD is correct and working.

[tavrez]

I successfully compiled everything and tested library with both my U2F and FIDO2 keys, I will package them properly and push a PR ASAP(I probably need your help since I'm not familiar with progress).
I'm also writing a module for using instead of openssh internal library, my module use native windows hello api(like browsers) and bring more ability like using internal TPM and biometrics for key generation.

[dscho]

@tavrez you managed to surprise me! I will gladly help you with whatever process hurdles you face.

[tavrez]

At first I thought since libcbor and libfido2 can be compiled natively on Windows, it's better to compile them under mingw, but then I realised openssh can't use them so I went back to msys.

Now the problem is both libcbor and libfido2 only have cmake files, and I do not know how to build PKGBUILD for them. Should I download cmake in their PKGBUILD or you have better approach to this?

I should also mention that using fido2 in Windows 10 version 1903 and higher requires administrator privileges, this needs to be noted somewhere for end users

[rimrul]

You'll probably want a compile time dependency (makedepends in PKGBUILD) on cmake. See the PKGBUILD of jsoncpp or task for an example.

[dscho]

You'll probably want a compile time dependency (makedepends in PKGBUILD) on cmake. See the PKGBUILD of jsoncpp or task for an example.

For lurkers: https://github.com/git-for-windows/MSYS2-packages/blob/450628337752150d35673af52f18102994257a9a/task/PKGBUILD#L18 and https://github.com/git-for-windows/MSYS2-packages/blob/450628337752150d35673af52f18102994257a9a/task/PKGBUILD#L55 are probably the most relevant parts of task's PKGBUILD file.

[tavrez]

First try pushed on git-for-windows/MSYS2-packages#34