Time to add FIDO2 support?
Hi hackers,
Would others be interested in adding support for FIDO2 as a new SASL
authentication mechanism?
As a macOS user, FIDO2 has become very convenient since the release of
macOS Tahoe in September 2025, that added built-in support for Secure
Enclave-backed SSH keys [1]https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb4acf [2]https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041451.html. The key pair is generated on the
Security Enclave and the private key cannot be exported, so even if your
computer is compromised, you can be quite confident that they at least
couldn't steal your private keys. When logging in, you have to touch
the TouchID for the Security Enclave to sign the challenge. I really
love how this scores very high on both security and convenience.
So, I think it would be nice if authenticating to PostgreSQL via psql
could be made equally secure and convenient, by simply reusing the same
OpenSSH hardware-backed FIDO2 SSH keys, copying the key string from
~/.ssh/authorized_keys, and register it with your PostgreSQL role.
This would of course also work with hardware keys, such as Yubikey.
Example:
ALTER ROLE joel ADD CREDENTIAL macos 'sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBOG0NTN8AqegdlKrGTuddOFt0G4ANYzwkBtjSS0zCWCB1IuJisW41qBQ/JSGWjJp1B7OXD52AwfyB4sbUs1Kqg0AAAAEc3NoOg==';
Add "fido2" to pg_hba.conf:
hostssl all all 0.0.0.0/0 fido2
hostssl all all ::/0 fido2
You would need to load the resident keys from the FIDO2 authenticator,
once per bootup:
% ssh-add -K
Enter PIN for authenticator:
Resident identity added: ECDSA-SK SHA256:6/FvVcfzjLTt27bieSk5UpsPFYvGGkL5njORDz1JmM8
You would then specify the sk-provider when connecting via psql:
% PGSKPROVIDER=/usr/lib/ssh-keychain.dylib psql
The server sends a random challenge, the user is prompted to touch the
TouchID, the client's security key then signs it, and the server
verifies the signature.
I have some experience of FIDO2/WebAuthn in the application layer,
and would be willing to try to draft a patch on this, given there is
enough interest in this.
/Joel
[1]: https://gist.github.com/arianvp/5f59f1783e3eaf1a2d4cd8e952bb4acf
[2]: https://lists.mindrot.org/pipermail/openssh-unix-dev/2024-July/041451.html
Would others be interested in adding support for FIDO2 as a new SASL
authentication mechanism?
Me definitely, I was also thinking about the same thing. For context,
I did implement fido authentication for Percona Server for MySQL.
But as far as I know, SASL only has drafts[1]https://www.ietf.org/archive/id/draft-bucksch-sasl-passkey-00.html[2]https://www.ietf.org/archive/id/draft-ietf-kitten-scram-2fa-05.html about fido, not accepted RFCs.
This is also related to why I asked about generic (not oauth related)
authentication plugins on the list a few days ago[3]/messages/by-id/CAN4CZFN=5=dWvY=YAPeF4PVOMtR5U6jMLc2kCSHdO0EhejPp+Q@mail.gmail.com, one of the
things I was thinking about was fido/webauthn.
Add "fido2" to pg_hba.conf:
hostssl all all 0.0.0.0/0 fido2
hostssl all all ::/0 fido2
It would be really good to implement MFA properly (allowing users to
configure password + fido requirement for login), but that would also
require changes in pg_hba processing.
[1]: https://www.ietf.org/archive/id/draft-bucksch-sasl-passkey-00.html
[2]: https://www.ietf.org/archive/id/draft-ietf-kitten-scram-2fa-05.html
[3]: /messages/by-id/CAN4CZFN=5=dWvY=YAPeF4PVOMtR5U6jMLc2kCSHdO0EhejPp+Q@mail.gmail.com