Skip to content

Add SK (Security Key) public key authentication support #439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nindanaoto wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add SK (Security Key) public key authentication support #439

nindanaoto wants to merge 3 commits into from

Conversation

@nindanaoto
Copy link
Contributor

@nindanaoto nindanaoto commented Jan 1, 2026

Required by connectbot/connectbot#1821.
Adds support for FIDO2 Security Key authentication:

🤖 Generated with Claude Code

@nindanaoto @claude
Add SK (Security Key) public key authentication support
92bb8c8 
Adds support for FIDO2 Security Key authentication:
- New SkPublicKey interface for hardware-backed SK keys
- SK key handling in AuthenticationManager using SignatureProxy
- Supports [email protected] and [email protected]

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kruton
Copy link
Member

kruton commented Jan 1, 2026

It seems like more of the implementation might need to be in sshlib. If a test can't be written for it then the boundary between library and user of the library may not be in the right place.

@nindanaoto @claude
Add tests for SK (Security Key) public key authentication
0297f64 
Tests for the SkPublicKey interface and AuthenticationManager SK key handling:
- SkPublicKeyTest: validates interface contract for Ed25519/ECDSA SK keys
- AuthenticationManagerSkKeyTest: verifies SK authentication flow, hash
  algorithm selection, and SignatureProxy requirement

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@nindanaoto
Copy link
Contributor Author

nindanaoto commented Jan 2, 2026

Your criteria for the library boundary seem reasonable to me, so I wrote unit tests since the change is fairly simple. However, moving this logic to the ConnectBot side will mess up the library interface.
​Maybe we should also move some parts of the actual hardware key communication to the sshlib side to isolate the complex key handling from the ConnectBot side, but this will require hardware key unit tests without the physical key. I found that YubiKey seems to provide a test suite for this. However, we should check whether the test covers our use case first. So, I will add that to the ConnectBot side first, then plan to move it to sshlib as another PR. Possibly, because of its complexity, moving that can be a difficult task.

@nindanaoto @claude
Fix unused imports in AuthenticationManagerSkKeyTest
d279612 
Remove unused doAnswer and when imports that were flagged by checkstyle.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nindanaoto @kruton