gedankensplitter/fido2.md

keywords
IT Security

Fido2

features

• U2F Add the needed pam onfig entry. the -nis needed to ADD another key, otherwise the username will be added and destroys the login.

mkdir ~/.config/Yubico
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
pamu2fcfg -o pam://$(hostname) -i pam://$(hostname) -n >> ~/.config/Yubico/u2f_keys

``

• WebAuth
  • main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
  • https://webauthn.io/ to test
• resident keys
• HMAC-secret extension
  • symmetric key scoped to a credential
  • https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension

hardware

udev rules

In general there should be no need to add the rules after install the libfido2 https://github.com/Yubico/libfido2/blob/main/udev/70-u2f.rules this list just contains legitime FIDO2 tokens

OpenSK

udev

https://raw.githubusercontent.com/google/OpenSK/f2496a8e6d71a4e838884996a1c9b62121f87df2/rules.d/55-opensk.rules

solo2

udo lpc55 ls
bootloaders:
Bootloader { vid: 1209, pid: B000, uuid: 114C99D86DB0D15B9FD0A6490962122E }

sudo lpc55 info
Properties {
    current_version: Version {
        mark: Some(
            'K',
        ),
        major: 3,
        minor: 0,
        fixation: 0,
    },
    target_version: Version {
        mark: Some(
            'T',
        ),
        major: 1,
        minor: 1,
        fixation: 4,
    },
    available_commands: ERASE_FLASH_ALL | ERASE_FLASH | READ_MEMORY | FLASH_SECURITY_DISABLE | GET_PROPERTY | RECEIVE_SB_FILE | CALL | RESET | FLASH_READ_RESOURCE,
    available_peripherals: USB_HID,
    pfr_keystore_update_option: Keystore,
    ram_start_address: 536870912,
    ram_size: 262144,
    flash_start_address: 0,
    flash_size: 646656,
    flash_page_size: 512,
    flash_sector_size: 32768,
    verify_writes: true,
    flash_locked: true,
    max_packet_size: 56,
    device_uuid: 22994610845492304205348126649701503534,
    system_uuid: 1168442901135557,
    crc_check_status: CrcChecker(
        Invalid,
    ),
    reserved_regions: [
        (
            335544320,
            335568895,
        ),
        (
            67108864,
            67141631,
        ),
        (
            805306368,
            805330943,
        ),
        (
            536870912,
            536895487,
        ),
    ],
    irq_notification_pin: IrqNotificationPin {
        pin: 0,
        port: 0,
        enabled: false,
    },
}

somu

it is build around: STM32L432KC https://www.st.com/en/microcontrollers-microprocessors/stm32l432kc.html

nitrokey

storage

start

udev

https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules

code snippets

resident-key aka discoverable credentials (fido2-token -S to set the PIN, otherwise all other things fails, after using the PIN an additional touch is needed but not declared. Check this with

fido2-token -I -c /dev/hidrawX
fido2-token -L -r /dev/hidrawX

You can then check this in detail:

fido2-token -L -k ssh: /dev/hidrawX
00: m4LrqX8qMtFisoixm0whdQ== openssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= eddsa uvopt+id

to get the "resident-key aka dc" call ssh-keygen -K. you get the two files, but the private key is a stub.(?, https://github.com/openssh/openssh-portable/raw/master/PROTOCOL.u2f) yubikey seems to support only ecdsa and not ed25519 to add this "rk or dc thing" into the agent ssh-add -K. It seems that the user@host info gets lost while transfering this into the dongles space.

Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:

$ ssh-keygen -t ecdsa-sk -O resident

This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:

$ ssh-add -K

This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:

$ ssh-keygen -K

This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:

$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk

Finally, there’s one more feature to be excited about…

references

https://2fa.directory/int/