---
keywords:
  - IT
  - Security
---
# Fido2
### features
- U2F
Add the needed pam onfig entry. the `-n`is needed to ADD another key, otherwise the username will be added and destroys the login.
```
mkdir ~/.config/Yubico
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
pamu2fcfg -o pam://$(hostname) -i pam://$(hostname) -n >> ~/.config/Yubico/u2f_keys
```
- WebAuth
    - main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
    - https://webauthn.io/ to test
- resident keys
- HMAC-secret extension 
    - symmetric key scoped to a credential
    - https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
## hardware
##### udev rules
In general there should be no need to add the rules after install the libfido2
https://github.com/Yubico/libfido2/blob/main/udev/70-u2f.rules
this list just contains legitime FIDO2 tokens
```

```
#### OpenSK
##### udev
https://raw.githubusercontent.com/google/OpenSK/f2496a8e6d71a4e838884996a1c9b62121f87df2/rules.d/55-opensk.rules
#### solo2
```bash
udo lpc55 ls
bootloaders:
Bootloader { vid: 1209, pid: B000, uuid: 114C99D86DB0D15B9FD0A6490962122E }

sudo lpc55 info
Properties {
    current_version: Version {
        mark: Some(
            'K',
        ),
        major: 3,
        minor: 0,
        fixation: 0,
    },
    target_version: Version {
        mark: Some(
            'T',
        ),
        major: 1,
        minor: 1,
        fixation: 4,
    },
    available_commands: ERASE_FLASH_ALL | ERASE_FLASH | READ_MEMORY | FLASH_SECURITY_DISABLE | GET_PROPERTY | RECEIVE_SB_FILE | CALL | RESET | FLASH_READ_RESOURCE,
    available_peripherals: USB_HID,
    pfr_keystore_update_option: Keystore,
    ram_start_address: 536870912,
    ram_size: 262144,
    flash_start_address: 0,
    flash_size: 646656,
    flash_page_size: 512,
    flash_sector_size: 32768,
    verify_writes: true,
    flash_locked: true,
    max_packet_size: 56,
    device_uuid: 22994610845492304205348126649701503534,
    system_uuid: 1168442901135557,
    crc_check_status: CrcChecker(
        Invalid,
    ),
    reserved_regions: [
        (
            335544320,
            335568895,
        ),
        (
            67108864,
            67141631,
        ),
        (
            805306368,
            805330943,
        ),
        (
            536870912,
            536895487,
        ),
    ],
    irq_notification_pin: IrqNotificationPin {
        pin: 0,
        port: 0,
        enabled: false,
    },
}

```
#### somu
it is build around: STM32L432KC https://www.st.com/en/microcontrollers-microprocessors/stm32l432kc.html
#### nitrokey
##### storage
##### start
##### udev
https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
### code snippets

resident-key aka discoverable credentials (`fido2-token -S` to set the PIN, otherwise all other things fails, after using the PIN an additional touch is needed but not declared. Check this with
```bash
fido2-token -I -c /dev/hidrawX
fido2-token -L -r /dev/hidrawX
```
You can then check this in detail: 
```
fido2-token -L -k ssh: /dev/hidrawX
00: m4LrqX8qMtFisoixm0whdQ== openssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= eddsa uvopt+id
```

to get the "resident-key aka dc" call `ssh-keygen -K`. you get the two files, but the private key is a stub.(?, https://github.com/openssh/openssh-portable/raw/master/PROTOCOL.u2f) yubikey seems to support only ecdsa and not ed25519
to add this "rk or dc thing" into the agent `ssh-add -K`. It seems that the `user@host` info gets lost while transfering this into the dongles space.

```[https://gist.github.com/alexgwolff/5d7f6802996cad2847c4a16995da410b]
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:

$ ssh-keygen -t ecdsa-sk -O resident

This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:

$ ssh-add -K

This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:

$ ssh-keygen -K

This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:

$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk

Finally, there’s one more feature to be excited about…
```
## references
https://2fa.directory/int/