As a follow-up, I couldn't get onlykey-agent to work in Windows, so I ended up re-implementing it as an SSH.NET authentication method (which I intend to publish).
I have to say this write-up is absolutely fascinating, and I am not just saying that because I wrote this code! You did a great job here of picking this apart and explaining, which I know was not easy. I wrote both the firmware and the parts you mentioned in the agent and have been meaning to document more here just trying to find the time. I would be very interested in helping you get the .net apps you are working on finished, I know there are lots of OnlyKey user's that wish this worked with Windows. So to answer some of the questions you had here:
We ignore the slot because when we first released the ssh agent we didn't derive the keys, the user had to load the ecc keys through the app and and specify in the cli which one to use. When we went to deriving keys I wanted to still have an option to specify a slot if you didn't want to use the KDF but have not implemented that in firmware yet.
secp256k1 is the same curve used for Bitcoin, its not really used much for SSH.
As OnlyKey is built on an embedded chip space really matters so things are written in a way to save space. For example as you found using 1/2 of a byte (nibble) for a setting when the setting is only needed to be a 1 - 16 value.
We do now support keylabels, each key can have a label its supported but just not used. It could be useful for several things if supported in an app.
If you have any other questions feel free to reach out.
Great write-up!
Thank you for taking the time and effort to investigate this stuff. I just bought my first onlykey today (awaiting delivery this week) and I expect I'll be referring to this article for my own explorations.
Thank you for sharing the knowledge!
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (3)
As a follow-up, I couldn't get
onlykey-agent
to work in Windows, so I ended up re-implementing it as an SSH.NET authentication method (which I intend to publish).Hey Max,
I have to say this write-up is absolutely fascinating, and I am not just saying that because I wrote this code! You did a great job here of picking this apart and explaining, which I know was not easy. I wrote both the firmware and the parts you mentioned in the agent and have been meaning to document more here just trying to find the time. I would be very interested in helping you get the .net apps you are working on finished, I know there are lots of OnlyKey user's that wish this worked with Windows. So to answer some of the questions you had here:
We ignore the slot because when we first released the ssh agent we didn't derive the keys, the user had to load the ecc keys through the app and and specify in the cli which one to use. When we went to deriving keys I wanted to still have an option to specify a slot if you didn't want to use the KDF but have not implemented that in firmware yet.
secp256k1 is the same curve used for Bitcoin, its not really used much for SSH.
As OnlyKey is built on an embedded chip space really matters so things are written in a way to save space. For example as you found using 1/2 of a byte (nibble) for a setting when the setting is only needed to be a 1 - 16 value.
We do now support keylabels, each key can have a label its supported but just not used. It could be useful for several things if supported in an app.
If you have any other questions feel free to reach out.
Great write-up!
Thank you for taking the time and effort to investigate this stuff. I just bought my first onlykey today (awaiting delivery this week) and I expect I'll be referring to this article for my own explorations.
Thank you for sharing the knowledge!