Introduction
Webauthn vs ssh authentication protocol
OpenSSH's implementation is not related with webauthn. Those are different protocols. In OpenSSH the FIDO/FIDO2 token is used to allow the usage of the private key. This does not change the ssh's authentication protocol.
Webauthn works different. It's a complete new authentication protocol, which does not have any similarities with the ssh authentication protocol. The browser can verify the website and communicates with the FIDO2 token (trusted party). The website (Domain/URL) and some channel id's are part of the authentication process. Those information can not be faked. This is the reason, why it's not possible to authenticate against a phishing site and reuse the credentials.
Using FIDO2 with webauthn is secure and protects against phishing attacks.
SSH and phishing attacks
SSH should not be affected by phishing attacks, if you verify the fingerprint or compare it against a trusted source. The reason why such phishing attacks work is, that most users does not verify the fingerprint during the first connection.
When the fingerprint is already known, but the host key changes, a warning is presented and the connection is closed. This should prevent from attacks like ARP Spoofing.
In the scenario of "agent restrictions" we are not talking about such phishing attacks. They might be part of the attack but not the attack which was meant by the Damien Miller (OpenSSH dev).
"no-touch-required" option for FIDO tokens
FIDO tokens are supported since OpenSSH 8.2. Compatible FIDO/FIDO2 tokens must support U2F and they must support "ECDSA-P256" and "Ed25519". There are some optional features like "no-touch-required" and "resident keys".
When "no-touch-required" is used, they private key can be used without confirmation and such keys can be abused at any time. The "no-touch-required" is not discussed in the article, because it disables the second factor and a phishing attack is not required.
The phishing attack
The phishing attack is called "trivial authentication" and was first described in Bug 3316 in the OpenSSH issue tracker.
Simon Tatham (PuTTY) and Matt Johnston (Dropbear) has also improved existing mitigation strategies or implemented some mitigation strategies against the described phishing attack.
Scenario
The user wants to connect to a development server with public key authentication and agent forwarding enabled, which is needed, because the user needs to access an internal git repo over ssh.
The server got compromised and the attacker has access to the forwarded agent.
This is the same scenario as by the Matrix server hack in 2019.
Another scenario is remote copy of files. New implementations of openssh (>8.4) supports agent forwarding in scp and sftp, which makes this attack also possible.
Normal behavior
When the user connects to a dev server with public key authentication, the user have to push the button on the fido device.
The attacker got access to the forwarded agent and uses this agent to get access to another server. This does not work, because the user needs to push the button an the fido 2 device.
This is not expected and the user will close the session an inform the administrator of the compromised server.
Bypass of fido 2 devices and ssh-askpass
If the attacker configures the ssh server, so it does not need credentials to login, an attacker can bypass the first confirmation for the fido device or ssh-askpass.
This can be done, by using the authentication method "none".
If the client connects to the compromised server, the server accepts the connection and requests the agent.
After the attacker got the agent, the attacker can try to login to a different server, which will need a confirmation on the fido device.
The user thinks, that this confirmation is for the development server, because he does not know, that he is already connected. After the confirmation, the attacker is logged in to the other server.
Note on the the scenario
The described scenario the most basic scenario and has a lot of drawbacks. "none" authentication is the most obvious authentication method, because it is always present on the client side and allows a login without authentication, which is required for the phishing attack.
Advanced attacks should choose other authentication methods or flaws in the client's authentication process. For example "keyboard-interactive" also allows logging in without passwords.
Disclosure:
I found this phishing attack during an audit and developed the improvements/fixes for PuTTY and Dropbear. The documentation about trivial authentication is for my tool "SSH-MITM", which is a man in the middle audit tool for ssh.