libssh2_userauth_publickey_sk.3 (5357B)
1.TH libssh2_userauth_publickey_sk 3 "1 Jun 2022" "libssh2" "libssh2" 2.SH NAME 3libssh2_userauth_publickey_sk - authenticate a session with a FIDO2 authenticator 4.SH SYNOPSIS 5.nf 6#include <libssh2.h> 7 8int 9libssh2_userauth_publickey_sk(LIBSSH2_SESSION *session, 10 const char *username, 11 size_t username_len, 12 const unsigned char *publickeydata, 13 size_t publickeydata_len, 14 const char *privatekeydata, 15 size_t privatekeydata_len, 16 const char *passphrase, 17 LIBSSH2_USERAUTH_SK_SIGN_FUNC((*sign_callback)), 18 void **abstract); 19.fi 20.SH CALLBACK 21.nf 22#define LIBSSH2_SK_PRESENCE_REQUIRED 0x01 23#define LIBSSH2_SK_VERIFICATION_REQUIRED 0x04 24 25typedef struct _LIBSSH2_SK_SIG_INFO { 26 uint8_t flags; 27 uint32_t counter; 28 unsigned char *sig_r; 29 size_t sig_r_len; 30 unsigned char *sig_s; 31 size_t sig_s_len; 32} LIBSSH2_SK_SIG_INFO; 33 34int name(LIBSSH2_SESSION *session, LIBSSH2_SK_SIG_INFO *sig_info, 35 const unsigned char *data, size_t data_len, int algorithm, 36 uint8_t flags, const char *application, 37 const unsigned char *key_handle, size_t handle_len, 38 void **abstract); 39.fi 40.SH DESCRIPTION 41\fIsession\fP - Session instance as returned by 42.BR libssh2_session_init_ex(3) 43 44\fIusername\fP - Name of user to attempt authentication for. 45 46\fIusername_len\fP - Length of username parameter. 47 48\fIpublickeydata\fP - Buffer containing the contents of a public key file. If 49NULL, the public key will be extracted from the privatekeydata. When using 50certificate authentication, this buffer should contain the public certificate 51data. 52 53\fIpublickeydata_len\fP - Length of public key data. 54 55\fIprivatekeydata\fP - Buffer containing the contents of a private key file. 56 57\fIprivatekeydata_len\fP - Length of private key data. 58 59\fIpassphrase\fP - Passphrase to use when decoding private key file. 60 61\fIsign_callback\fP - Callback to communicate with FIDO2 authenticator. 62 63\fIabstract\fP - User-provided data to pass to callback. 64 65Attempt FIDO2 authentication. using either the sk-ssh-ed25519@openssh.com or 66sk-ecdsa-sha2-nistp256@openssh.com key exchange algorithms. 67 68This function is only supported when libssh2 is backed by OpenSSL. 69 70.SH CALLBACK DESCRIPTION 71\fIsession\fP - Session instance as returned by 72.BR libssh2_session_init_ex(3) 73 74\fIsig_info\fP - Filled in by the callback with the signature and accompanying 75information from the authenticator. 76 77\fIdata\fP - The data to sign. 78 79\fIdata_len\fP - The length of the data parameter. 80 81\fIalgorithm\fP - The signing algorithm to use. Possible values are 82LIBSSH2_HOSTKEY_TYPE_ED25519 and LIBSSH2_HOSTKEY_TYPE_ECDSA_256. 83 84\fIflags\fP - A bitmask specifying options for the authenticator. When 85LIBSSH2_SK_PRESENCE_REQUIRED is set, the authenticator requires a touch. When 86LIBSSH2_SK_VERIFICATION_REQUIRED is set, the authenticator requires a PIN. 87Many servers and authenticators do not work properly when 88LIBSSH2_SK_PRESENCE_REQUIRED is not set. 89 90\fIapplication\fP - A user-defined string to use as the RP name for the 91authenticator. Usually "ssh:". 92 93\fIkey_handle\fP - The key handle to use for the authenticator's allow list. 94 95\fIhandle_len\fP - The length of the key_handle parameter. 96 97\fIabstract\fP - User-defined data. When a PIN is required, use this to pass in 98the PIN, or a function pointer to retrieve the PIN. 99 100The \fIsign_callback\fP is responsible for communicating with the hardware 101authenticator to generate a signature. On success, the signature information 102must be placed in the `\fIsig_info\fP sig_info parameter and the callback must 103return 0. On failure, it should return a negative number. 104 105The fields of the LIBSSH2_SK_SIG_INFO are as follows. 106 107\fIflags\fP - A bitmask specifying options for the authenticator. This should 108be read from the authenticator and not merely copied from the flags parameter 109to the callback. 110 111\fIcounter\fP - A value returned from the authenticator. 112 113\fIsig_r\fP - For Ed25519 signatures, this contains the entire signature, as 114returned directly from the authenticator. For ECDSA signatures, this contains 115the r component of the signature in a big-endian binary representation. For 116both algorithms, use LIBSSH2_ALLOC to allocate memory. It will be freed by the 117caller. 118 119\fIsig_r_len\fP - The length of the sig_r parameter. 120 121\fIsig_s\fP - For ECDSA signatures, this contains the s component of the 122signature in a big-endian binary representation. Use LIBSSH2_ALLOC to allocate 123memory. It will be freed by the caller. For Ed25519 signatures, set this to 124NULL. 125 126\fIsig_s_len\fP - The length of the sig_s parameter. 127.SH RETURN VALUE 128Return 0 on success or negative on failure. It returns 129LIBSSH2_ERROR_EAGAIN when it would otherwise block. While 130LIBSSH2_ERROR_EAGAIN is a negative number, it is not really a failure per se. 131.SH ERRORS 132Some of the errors this function may return include: 133 134\fILIBSSH2_ERROR_ALLOC\fP - An internal memory allocation call failed. 135 136\fILIBSSH2_ERROR_SOCKET_SEND\fP - Unable to send data on socket. 137 138\fILIBSSH2_ERROR_AUTHENTICATION_FAILED\fP - failed, invalid username/key. 139.SH AVAILABILITY 140Added in libssh2 1.10.0 141.SH SEE ALSO 142.BR libssh2_session_init_ex(3)