Bug 1821501

Summary: consider backport of u2f support
Product: Red Hat Enterprise Linux 9 Reporter: Kevin Fenzi <kevin>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Marek Havrila <mhavrila>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: low    
Version: unspecifiedCC: abo, afarley, amarirom, dbelyavs, jafiala, jjelen, mjahoda, pmendezh, ravpatil, rbiba, redhat-bugzilla, ssorce, szidek
Target Milestone: betaKeywords: FutureFeature, TestOnly, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
.OpenSSH supports U2F/FIDO security keys Previously, the OpenSSH keys stored in hardware were only supported through the PKCS #11 standard, which limited the use of other security keys in SSH. Support for U2F/FIDO security keys was developed upstream and is now implemented in RHEL 9. This results in an improved usability of security keys within SSH independent of the PKCS #11 interface.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 15:53:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kevin Fenzi 2020-04-06 23:58:57 UTC 
It would be very nice for rhel7 (and 8) to at least support sk-ecdsa keys, and even better if it could have all the u2f support. 

Support for sk-ecdsa keys, users could at least use the u2f support on newer platforms to connect to rhel hosts. 

The full u2f support would allow rhel clients to take advantage of this support. 

Thanks for your consideration.
Comment 2 Jakub Jelen 2020-04-07 06:57:40 UTC 
For RHEL 7, it is out of the question, as RHEL7 is in Maintanance Support 1 Phase [1]:

> New software functionality is not available during this phase.

Moved to RHEL8, which we might consider in future releases.

[1] https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_1_Phase
Comment 28 Robert Scheck 2022-04-25 15:08:05 UTC 
Could somebody please briefly explain why this was moved from RHEL 8 to 9? It would be still helpful for us to have at least the new public key types "ecdsa-sk" and "ed25519-sk" supported on the server side, so that users on newer platforms can use full U2F/FIDO support to connect to RHEL 8 servers (especially as RHEL 9 is not yet available).
Comment 31 Stanislav Zidek 2022-04-26 11:39:19 UTC 
Robert, we are not really allowed to discuss roadmaps and timelines in bugzilla, please reach out to your representative via Customer Portal. That being said, the brief explanation is "complicated rebase or backport would be necessary".
Comment 32 Robert Scheck 2022-04-26 12:56:16 UTC 
(In reply to Stanislav Zidek from comment #31)
> Robert, we are not really allowed to discuss roadmaps and timelines in
> bugzilla, please reach out to your representative via Customer Portal. That
> being said, the brief explanation is "complicated rebase or backport would
> be necessary".

Stanislav, I've opened case 03204842 at the Red Hat customer portal already before your answer to later follow up there with a business justification etc. - but thank you anyway for the quick brief explanation :)
Comment 42 errata-xmlrpc 2022-05-17 15:53:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: openssh), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3949