40 lines
1.7 KiB
Markdown
40 lines
1.7 KiB
Markdown
|
---
|
|||
|
keywords:
|
|||
|
- IT
|
|||
|
- Security
|
|||
|
---
|
|||
|
# Fido2
|
|||
|
### features
|
|||
|
- WebAuth
|
|||
|
- main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
|
|||
|
- resident keys
|
|||
|
- HMAC-secret extension
|
|||
|
- symmetric key scoped to a credential
|
|||
|
- https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
|
|||
|
## hardware
|
|||
|
#### OpenSK
|
|||
|
#### solo2
|
|||
|
#### nitrokey
|
|||
|
### code snippets
|
|||
|
```[https://gist.github.com/alexgwolff/5d7f6802996cad2847c4a16995da410b]
|
|||
|
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:
|
|||
|
|
|||
|
$ ssh-keygen -t ecdsa-sk -O resident
|
|||
|
|
|||
|
This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:
|
|||
|
|
|||
|
$ ssh-add -K
|
|||
|
|
|||
|
This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:
|
|||
|
|
|||
|
$ ssh-keygen -K
|
|||
|
|
|||
|
This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:
|
|||
|
|
|||
|
$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk
|
|||
|
|
|||
|
Finally, there’s one more feature to be excited about…
|
|||
|
```
|
|||
|
## references
|
|||
|
https://2fa.directory/int/
|