Achim Gratz Stromeko@nexgo.de
Sun Nov 21 10:01:46 GMT 2021

Here are my fixes to make transparent WebAuthn through libfido2 work w/
OpenSSH.  This is required for Win10 from release 1909; the access to
USB-HID is since restricted to users with administrative privileges:


The changes switch to a newer API available from libfido2 that is
required for WebAuthn support (which needs the unhashed data instead of
the SH256 like the actual FIDO2-Token), make that protocol the preferred
one (so that WebAuthn is always used when available w/o being dependent
on the order of the device enumeration) and lastly prevent some extra
(optional) PIN prompts from WinHello that do not happen when using the
USB-HID interface either.  The PIN patches were inspired by an
OpensSSH-portable fork that seems to be maintened by some folks who also
work on libfido, although they seem to have missed a few spots and I
opted for slightly different patches.

The use of the new API is properly wired into the configury.
Unfortunately libfido2 does not provide a way to determine if WebAuthn
support has been compiled in (the one exposed function is a predicate
that always returns false on builds that do not use WebAuthn), so I'm
currently using a heuristic that eventually should be replaced by a
configure option.  Also, it would probably be a good idea to decide at
runtime whether to use WebAuthn or not (maybe via an environment or
config variable).

These patches work for 32bit also and I believe they are correct, but
that build should not be made available due to a bug in libfido2 that
crashes when trying to free the memory associated with the WebAuthn
payload returned.  Without these patches applied you can still use the
fallback to USB-HID when you are an administrator.

+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for KORG EX-800 and Poly-800MkII V0.9:

More information about the Cygwin-apps mailing list