145 lines
4.8 KiB
Markdown
145 lines
4.8 KiB
Markdown
---
|
||
keywords:
|
||
- IT
|
||
- Security
|
||
---
|
||
# Fido2
|
||
### features
|
||
- U2F
|
||
Add the needed pam onfig entry. the `-n`is needed to ADD another key, otherwise the username will be added and destroys the login.
|
||
```
|
||
mkdir ~/.config/Yubico
|
||
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
|
||
pamu2fcfg -o pam://$(hostname) -i pam://$(hostname) -n >> ~/.config/Yubico/u2f_keys
|
||
```
|
||
``
|
||
- WebAuth
|
||
- main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
|
||
- https://webauthn.io/ to test
|
||
- resident keys
|
||
- HMAC-secret extension
|
||
- symmetric key scoped to a credential
|
||
- https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
|
||
## hardware
|
||
##### udev rules
|
||
In general there should be no need to add the rules after install the libfido2
|
||
https://github.com/Yubico/libfido2/blob/main/udev/70-u2f.rules
|
||
this list just contains legitime FIDO2 tokens
|
||
```
|
||
|
||
```
|
||
#### OpenSK
|
||
##### udev
|
||
https://raw.githubusercontent.com/google/OpenSK/f2496a8e6d71a4e838884996a1c9b62121f87df2/rules.d/55-opensk.rules
|
||
#### solo2
|
||
```bash
|
||
udo lpc55 ls
|
||
bootloaders:
|
||
Bootloader { vid: 1209, pid: B000, uuid: 114C99D86DB0D15B9FD0A6490962122E }
|
||
|
||
sudo lpc55 info
|
||
Properties {
|
||
current_version: Version {
|
||
mark: Some(
|
||
'K',
|
||
),
|
||
major: 3,
|
||
minor: 0,
|
||
fixation: 0,
|
||
},
|
||
target_version: Version {
|
||
mark: Some(
|
||
'T',
|
||
),
|
||
major: 1,
|
||
minor: 1,
|
||
fixation: 4,
|
||
},
|
||
available_commands: ERASE_FLASH_ALL | ERASE_FLASH | READ_MEMORY | FLASH_SECURITY_DISABLE | GET_PROPERTY | RECEIVE_SB_FILE | CALL | RESET | FLASH_READ_RESOURCE,
|
||
available_peripherals: USB_HID,
|
||
pfr_keystore_update_option: Keystore,
|
||
ram_start_address: 536870912,
|
||
ram_size: 262144,
|
||
flash_start_address: 0,
|
||
flash_size: 646656,
|
||
flash_page_size: 512,
|
||
flash_sector_size: 32768,
|
||
verify_writes: true,
|
||
flash_locked: true,
|
||
max_packet_size: 56,
|
||
device_uuid: 22994610845492304205348126649701503534,
|
||
system_uuid: 1168442901135557,
|
||
crc_check_status: CrcChecker(
|
||
Invalid,
|
||
),
|
||
reserved_regions: [
|
||
(
|
||
335544320,
|
||
335568895,
|
||
),
|
||
(
|
||
67108864,
|
||
67141631,
|
||
),
|
||
(
|
||
805306368,
|
||
805330943,
|
||
),
|
||
(
|
||
536870912,
|
||
536895487,
|
||
),
|
||
],
|
||
irq_notification_pin: IrqNotificationPin {
|
||
pin: 0,
|
||
port: 0,
|
||
enabled: false,
|
||
},
|
||
}
|
||
|
||
```
|
||
#### somu
|
||
it is build around: STM32L432KC https://www.st.com/en/microcontrollers-microprocessors/stm32l432kc.html
|
||
#### nitrokey
|
||
##### storage
|
||
##### start
|
||
##### udev
|
||
https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
|
||
### code snippets
|
||
|
||
resident-key aka discoverable credentials (`fido2-token -S` to set the PIN, otherwise all other things fails, after using the PIN an additional touch is needed but not declared. Check this with
|
||
```bash
|
||
fido2-token -I -c /dev/hidrawX
|
||
fido2-token -L -r /dev/hidrawX
|
||
```
|
||
You can then check this in detail:
|
||
```
|
||
fido2-token -L -k ssh: /dev/hidrawX
|
||
00: m4LrqX8qMtFisoixm0whdQ== openssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= eddsa uvopt+id
|
||
```
|
||
|
||
to get the "resident-key aka dc" call `ssh-keygen -K`. you get the two files, but the private key is a stub.(?, https://github.com/openssh/openssh-portable/raw/master/PROTOCOL.u2f) yubikey seems to support only ecdsa and not ed25519
|
||
to add this "rk or dc thing" into the agent `ssh-add -K`. It seems that the `user@host` info gets lost while transfering this into the dongles space.
|
||
|
||
```[https://gist.github.com/alexgwolff/5d7f6802996cad2847c4a16995da410b]
|
||
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:
|
||
|
||
$ ssh-keygen -t ecdsa-sk -O resident
|
||
|
||
This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:
|
||
|
||
$ ssh-add -K
|
||
|
||
This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:
|
||
|
||
$ ssh-keygen -K
|
||
|
||
This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:
|
||
|
||
$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk
|
||
|
||
Finally, there’s one more feature to be excited about…
|
||
```
|
||
## references
|
||
https://2fa.directory/int/
|