coelner/gedankensplitter
1
0
Fork 0
Code Pull Requests Releases Activity
010ea883c9
gedankensplitter/fido2.md
coelner f2275294ec shelly ht
2022-12-02 06:38:10 +01:00

145 lines
4.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
keywords:
- IT
- Security
---
# Fido2
### features
- U2F
Add the needed pam onfig entry. the `-n`is needed to ADD another key, otherwise the username will be added and destroys the login.
```
mkdir ~/.config/Yubico
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
pamu2fcfg -o pam://$(hostname) -i pam://$(hostname) -n >> ~/.config/Yubico/u2f_keys
```
``
- WebAuth
- main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
- https://webauthn.io/ to test
- resident keys
- HMAC-secret extension
- symmetric key scoped to a credential
- https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
## hardware
##### udev rules
In general there should be no need to add the rules after install the libfido2
https://github.com/Yubico/libfido2/blob/main/udev/70-u2f.rules
this list just contains legitime FIDO2 tokens
```
```
#### OpenSK
##### udev
https://raw.githubusercontent.com/google/OpenSK/f2496a8e6d71a4e838884996a1c9b62121f87df2/rules.d/55-opensk.rules
#### solo2
```bash
udo lpc55 ls
bootloaders:
Bootloader { vid: 1209, pid: B000, uuid: 114C99D86DB0D15B9FD0A6490962122E }
sudo lpc55 info
Properties {
current_version: Version {
mark: Some(
'K',
),
major: 3,
minor: 0,
fixation: 0,
},
target_version: Version {
mark: Some(
'T',
),
major: 1,
minor: 1,
fixation: 4,
},
available_commands: ERASE_FLASH_ALL | ERASE_FLASH | READ_MEMORY | FLASH_SECURITY_DISABLE | GET_PROPERTY | RECEIVE_SB_FILE | CALL | RESET | FLASH_READ_RESOURCE,
available_peripherals: USB_HID,
pfr_keystore_update_option: Keystore,
ram_start_address: 536870912,
ram_size: 262144,
flash_start_address: 0,
flash_size: 646656,
flash_page_size: 512,
flash_sector_size: 32768,
verify_writes: true,
flash_locked: true,
max_packet_size: 56,
device_uuid: 22994610845492304205348126649701503534,
system_uuid: 1168442901135557,
crc_check_status: CrcChecker(
Invalid,
),
reserved_regions: [
(
335544320,
335568895,
),
(
67108864,
67141631,
),
(
805306368,
805330943,
),
(
536870912,
536895487,
),
],
irq_notification_pin: IrqNotificationPin {
pin: 0,
port: 0,
enabled: false,
},
}
```
#### somu
it is build around: STM32L432KC https://www.st.com/en/microcontrollers-microprocessors/stm32l432kc.html
#### nitrokey
##### storage
##### start
##### udev
https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
### code snippets
resident-key aka discoverable credentials (`fido2-token -S` to set the PIN, otherwise all other things fails, after using the PIN an additional touch is needed but not declared. Check this with
```bash
fido2-token -I -c /dev/hidrawX
fido2-token -L -r /dev/hidrawX
```
You can then check this in detail:
```
fido2-token -L -k ssh: /dev/hidrawX
00: m4LrqX8qMtFisoixm0whdQ== openssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= eddsa uvopt+id
```
to get the "resident-key aka dc" call `ssh-keygen -K`. you get the two files, but the private key is a stub.(?, https://github.com/openssh/openssh-portable/raw/master/PROTOCOL.u2f) yubikey seems to support only ecdsa and not ed25519
to add this "rk or dc thing" into the agent `ssh-add -K`. It seems that the `user@host` info gets lost while transfering this into the dongles space.
```[https://gist.github.com/alexgwolff/5d7f6802996cad2847c4a16995da410b]
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:
$ ssh-keygen -t ecdsa-sk -O resident
This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:
$ ssh-add -K
This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it wont last forever youll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:
$ ssh-keygen -K
This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:
$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk
Finally, theres one more feature to be excited about…
```
## references
https://2fa.directory/int/
View Git Blame Copy Permalink