Here are my fixes to make transparent WebAuthn through libfido2 work w/ OpenSSH. This is required for Win10 from release 1909; the access to USB-HID is since restricted to users with administrative privileges:
https://cygwin.com/git-cygwin-packages/?p=git/cygwin-packages/playground.git;a=shortlog;h=refs/heads/openssh The changes switch to a newer API available from libfido2 that is required for WebAuthn support (which needs the unhashed data instead of the SH256 like the actual FIDO2-Token), make that protocol the preferred one (so that WebAuthn is always used when available w/o being dependent on the order of the device enumeration) and lastly prevent some extra (optional) PIN prompts from WinHello that do not happen when using the USB-HID interface either. The PIN patches were inspired by an OpensSSH-portable fork that seems to be maintened by some folks who also work on libfido, although they seem to have missed a few spots and I opted for slightly different patches. The use of the new API is properly wired into the configury. Unfortunately libfido2 does not provide a way to determine if WebAuthn support has been compiled in (the one exposed function is a predicate that always returns false on builds that do not use WebAuthn), so I'm currently using a heuristic that eventually should be replaced by a configure option. Also, it would probably be a good idea to decide at runtime whether to use WebAuthn or not (maybe via an environment or config variable). These patches work for 32bit also and I believe they are correct, but that build should not be made available due to a bug in libfido2 that crashes when trying to free the memory associated with the WebAuthn payload returned. Without these patches applied you can still use the fallback to USB-HID when you are an administrator. Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for KORG EX-800 and Poly-800MkII V0.9: http://Synth.Stromeko.net/Downloads.html#KorgSDada
