4.8 KiB
keywords | ||
---|---|---|
|
Fido2
features
- U2F
Add the needed pam onfig entry. the
-n
is needed to ADD another key, otherwise the username will be added and destroys the login.
mkdir ~/.config/Yubico
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
pamu2fcfg -o pam://$(hostname) -i pam://$(hostname) -n >> ~/.config/Yubico/u2f_keys
``
- WebAuth
- main feature, login with username (known value by user), ChallengeResponse ( secret ) and button (interactive)/PIN
- https://webauthn.io/ to test
- resident keys
- HMAC-secret extension
- symmetric key scoped to a credential
- https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html#sctn-hmac-secret-extension
hardware
udev rules
In general there should be no need to add the rules after install the libfido2 https://github.com/Yubico/libfido2/blob/main/udev/70-u2f.rules this list just contains legitime FIDO2 tokens
OpenSK
udev
solo2
udo lpc55 ls
bootloaders:
Bootloader { vid: 1209, pid: B000, uuid: 114C99D86DB0D15B9FD0A6490962122E }
sudo lpc55 info
Properties {
current_version: Version {
mark: Some(
'K',
),
major: 3,
minor: 0,
fixation: 0,
},
target_version: Version {
mark: Some(
'T',
),
major: 1,
minor: 1,
fixation: 4,
},
available_commands: ERASE_FLASH_ALL | ERASE_FLASH | READ_MEMORY | FLASH_SECURITY_DISABLE | GET_PROPERTY | RECEIVE_SB_FILE | CALL | RESET | FLASH_READ_RESOURCE,
available_peripherals: USB_HID,
pfr_keystore_update_option: Keystore,
ram_start_address: 536870912,
ram_size: 262144,
flash_start_address: 0,
flash_size: 646656,
flash_page_size: 512,
flash_sector_size: 32768,
verify_writes: true,
flash_locked: true,
max_packet_size: 56,
device_uuid: 22994610845492304205348126649701503534,
system_uuid: 1168442901135557,
crc_check_status: CrcChecker(
Invalid,
),
reserved_regions: [
(
335544320,
335568895,
),
(
67108864,
67141631,
),
(
805306368,
805330943,
),
(
536870912,
536895487,
),
],
irq_notification_pin: IrqNotificationPin {
pin: 0,
port: 0,
enabled: false,
},
}
somu
it is build around: STM32L432KC https://www.st.com/en/microcontrollers-microprocessors/stm32l432kc.html
nitrokey
storage
start
udev
https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
code snippets
resident-key aka discoverable credentials (fido2-token -S
to set the PIN, otherwise all other things fails, after using the PIN an additional touch is needed but not declared. Check this with
fido2-token -I -c /dev/hidrawX
fido2-token -L -r /dev/hidrawX
You can then check this in detail:
fido2-token -L -k ssh: /dev/hidrawX
00: m4LrqX8qMtFisoixm0whdQ== openssh AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= eddsa uvopt+id
to get the "resident-key aka dc" call ssh-keygen -K
. you get the two files, but the private key is a stub.(?, https://github.com/openssh/openssh-portable/raw/master/PROTOCOL.u2f) yubikey seems to support only ecdsa and not ed25519
to add this "rk or dc thing" into the agent ssh-add -K
. It seems that the user@host
info gets lost while transfering this into the dongles space.
Using resident keys If your security key supports FIDO2 resident keys*, like the YubiKey 5 Series, YubiKey 5 FIPS Series, or the Security Key NFC by Yubico, you can enable this when creating your SSH key:
$ ssh-keygen -t ecdsa-sk -O resident
This works the same as before, except a resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:
$ ssh-add -K
This will load a “key handle” into the SSH agent and make the key available for use on the new computer. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:
$ ssh-keygen -K
This will write two files into the current directory: id\_ecdsa\_sk\_rk and id\_ecdsa\_sk\_rk.pub. Now you just need to rename the private key file to id\_ecdsa\_sk and move it into your SSH directory:
$ mv id\_ecdsa\_sk\_rk ~/.ssh/id\_ecdsa_sk
Finally, there’s one more feature to be excited about…