libssh2_userauth_publickey_sk(3) libssh2 libssh2_userauth_publickey_sk(3)

NAME


libssh2_userauth_publickey_sk - authenticate a session with a FIDO2
authenticator

SYNOPSIS


#include <libssh2.h>

int
libssh2_userauth_publickey_sk(LIBSSH2_SESSION *session,
const char *username,
size_t username_len,
const unsigned char *publickeydata,
size_t publickeydata_len,
const char *privatekeydata,
size_t privatekeydata_len,
const char *passphrase,
LIBSSH2_USERAUTH_SK_SIGN_FUNC((*sign_callback)),
void **abstract);

CALLBACK


#define LIBSSH2_SK_PRESENCE_REQUIRED 0x01
#define LIBSSH2_SK_VERIFICATION_REQUIRED 0x04

typedef struct _LIBSSH2_SK_SIG_INFO {
uint8_t flags;
uint32_t counter;
unsigned char *sig_r;
size_t sig_r_len;
unsigned char *sig_s;
size_t sig_s_len;
} LIBSSH2_SK_SIG_INFO;

int name(LIBSSH2_SESSION *session, LIBSSH2_SK_SIG_INFO *sig_info,
const unsigned char *data, size_t data_len, int algorithm,
uint8_t flags, const char *application,
const unsigned char *key_handle, size_t handle_len,
void **abstract);

DESCRIPTION


session - Session instance as returned by libssh2_session_init_ex(3)

username - Name of user to attempt authentication for.

username_len - Length of username parameter.

publickeydata - Buffer containing the contents of a public key file.
If NULL, the public key will be extracted from the privatekeydata.
When using certificate authentication, this buffer should contain the
public certificate data.

publickeydata_len - Length of public key data.

privatekeydata - Buffer containing the contents of a private key
file.

privatekeydata_len - Length of private key data.

passphrase - Passphrase to use when decoding private key file.

sign_callback - Callback to communicate with FIDO2 authenticator.

abstract - User-provided data to pass to callback.

Attempt FIDO2 authentication. using either the sk-ssh-
ed25519@openssh.com or sk-ecdsa-sha2-nistp256@openssh.com key
exchange algorithms.

This function is only supported when libssh2 is backed by OpenSSL.


CALLBACK DESCRIPTION


session - Session instance as returned by libssh2_session_init_ex(3)

sig_info - Filled in by the callback with the signature and
accompanying information from the authenticator.

data - The data to sign.

data_len - The length of the data parameter.

algorithm - The signing algorithm to use. Possible values are
LIBSSH2_HOSTKEY_TYPE_ED25519 and LIBSSH2_HOSTKEY_TYPE_ECDSA_256.

flags - A bitmask specifying options for the authenticator. When
LIBSSH2_SK_PRESENCE_REQUIRED is set, the authenticator requires a
touch. When LIBSSH2_SK_VERIFICATION_REQUIRED is set, the
authenticator requires a PIN. Many servers and authenticators do not
work properly when LIBSSH2_SK_PRESENCE_REQUIRED is not set.

application - A user-defined string to use as the RP name for the
authenticator. Usually "ssh:".

key_handle - The key handle to use for the authenticator's allow
list.

handle_len - The length of the key_handle parameter.

abstract - User-defined data. When a PIN is required, use this to
pass in the PIN, or a function pointer to retrieve the PIN.

The sign_callback is responsible for communicating with the hardware
authenticator to generate a signature. On success, the signature
information must be placed in the `sig_info sig_info parameter and
the callback must return 0. On failure, it should return a negative
number.

The fields of the LIBSSH2_SK_SIG_INFO are as follows.

flags - A bitmask specifying options for the authenticator. This
should be read from the authenticator and not merely copied from the
flags parameter to the callback.

counter - A value returned from the authenticator.

sig_r - For Ed25519 signatures, this contains the entire signature,
as returned directly from the authenticator. For ECDSA signatures,
this contains the r component of the signature in a big-endian binary
representation. For both algorithms, use LIBSSH2_ALLOC to allocate
memory. It will be freed by the caller.

sig_r_len - The length of the sig_r parameter.

sig_s - For ECDSA signatures, this contains the s component of the
signature in a big-endian binary representation. Use LIBSSH2_ALLOC to
allocate memory. It will be freed by the caller. For Ed25519
signatures, set this to NULL.

sig_s_len - The length of the sig_s parameter.

RETURN VALUE


Return 0 on success or negative on failure. It returns
LIBSSH2_ERROR_EAGAIN when it would otherwise block. While
LIBSSH2_ERROR_EAGAIN is a negative number, it is not really a failure
per se.

ERRORS


Some of the errors this function may return include:

LIBSSH2_ERROR_ALLOC - An internal memory allocation call failed.

LIBSSH2_ERROR_SOCKET_SEND - Unable to send data on socket.

LIBSSH2_ERROR_AUTHENTICATION_FAILED - failed, invalid username/key.

AVAILABILITY


Added in libssh2 1.10.0

SEE ALSO


libssh2_session_init_ex(3)

libssh2 1 Jun 2022 libssh2_userauth_publickey_sk(3)

tribblix@gmail.com :: GitHub :: Privacy