数据加密>> openssh-u2f-solokeys>> 返回
项目作者: psmiraglia

项目描述 :
Implement FIDO U2F in OpenSSH with SoloKeys
高级语言: Dockerfile
项目地址: git://github.com/psmiraglia/openssh-u2f-solokeys.git
创建时间: 2020-03-09T16:25:17Z
项目社区:https://github.com/psmiraglia/openssh-u2f-solokeys
开源协议:
下载


Implement FIDO U2F in OpenSSH with SoloKeys

According to release notes,
OpenSSH 8.2 introduces the support for
FIDO Universal 2nd Factor (U2F).
SoloKeys are FIDO2 security keys so, why not using
them to test the new OpenSSH feature?

Note: The tutorial considers as starting point a minimal fresh
installation of Ubuntu 18.04 and a Solo key with firmware at 3.1.2 version.

Dependencies

Install dependencies to build OpenSSH from sources

  1. $ sudo apt-get install build-essential libcbor-dev libssl-dev zlib1g-dev

Install libfido2

  1. $ sudo apt-add-repository ppa:yubico/stable
  2. $ sudo apt update
  3. $ sudo apt-get install libfido2-dev libfido2-udev

Build OpenSSH

Get the sources

  1. $ wget https://openbsd.mirror.garr.it/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
  2. $ tar zxvf openssh-8.2p1.tar.gz
  3. $ cd openssh-8.2p1

Build and install OpenSSH under /home/user/openssh

  1. $ ./configure --prefix=/home/user/openssh --with-security-key-builtin
  2. $ make
  3. $ make install

Verify the installation

  1. $ ~/openssh/bin/ssh -V
  2. OpenSSH_8.2p1, OpenSSL 1.1.1  11 Sep 2018

Generate a keypair

Generate an ECDSA keypair

  1. $ ./openssh/bin/ssh-keygen -vvvv -t ecdsa-sk -C "My Solo Key"
  2. Generating public/private ecdsa-sk key pair.
  3. You may need to touch your authenticator to authorize key generation.
  4. debug3: start_helper: started pid=12093
  5. debug3: ssh_msg_send: type 5
  6. debug1: start_helper: starting /home/user/openssh/libexec/ssh-sk-helper
  7. debug3: ssh_msg_recv entering
  8. debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
  9. debug1: sshsk_enroll: using random challenge
  10. debug1: ssh_sk_enroll: using device /dev/hidraw1
  12. (...press your Solo key...)
  14. debug3: ssh_sk_enroll: attestation cert len=775
  15. debug1: ssh-sk-helper: reply len 1102
  16. debug3: ssh_msg_send: type 5
  17. debug3: reap_helper: pid=12093
  18. Enter file in which to save the key (/home/user/.ssh/id_ecdsa_sk):
  19. Enter passphrase (empty for no passphrase):
  20. Enter same passphrase again:
  21. Your identification has been saved in /home/user/.ssh/id_ecdsa_sk
  22. Your public key has been saved in /home/user/.ssh/id_ecdsa_sk.pub
  23. The key fingerprint is:
  24. SHA256:diHAp8OzNzFDfTr+kLu4RTpSlYggDx7SjF1FdJsJWFY SoloKeys
  25. The key's randomart image is:
  26. +-[ECDSA-SK 256]--+
  27. |.=+.oBO.E.       |
  28. |.o+=.o.=o=...    |
  29. |  . ...+* +o     |
  30. |      = +oo.     |
  31. |       +S=oo     |
  32. |      .oo++      |
  33. |      ..o..+     |
  34. |       . +. .    |
  35. |        o...     |
  36. +----[SHA256]-----+

Append the pubkey to the authorized_keys file

  1. $ cat .ssh/id_ecdsa_sk.pub >> .ssh/authorized_keys

Run the demo

Run the sshd daemon in foreground (-D) with debug mode enabled (-d) and
bound to an alternative port (-p 2222)

  1. $ /home/user/openssh/sbin/sshd -d -D -p 2222
  2. debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1  11 Sep 2018
  3. debug1: private host key #0: ssh-rsa SHA256:/Suom4amAqBzq7sN0qbDgsum6/owzbfyvavlt1Y116s
  4. debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:7bYdBHpS3hz+GT5VXakyE++zaKiTzVnbywKkA6SXpCE
  5. debug1: private host key #2: ssh-ed25519 SHA256:EtA3mECbpO4aRTFr0Af08MVGw7cu9AG8Q6pWDuBN670
  6. debug1: setgroups() failed: Operation not permitted
  7. debug1: rexec_argv[0]='/home/user/openssh/sbin/sshd'
  8. debug1: rexec_argv[1]='-dD'
  9. debug1: rexec_argv[2]='-p'
  10. debug1: rexec_argv[3]='2222'
  11. debug1: Set /proc/self/oom_score_adj from 0 to -1000
  12. debug1: Bind to port 2222 on 0.0.0.0.
  13. Server listening on 0.0.0.0 port 2222.
  14. debug1: Bind to port 2222 on ::.
  15. Server listening on :: port 2222.

Alternatively, you can build and run a Docker image that implements an
OpenSSH server

  1. $ cd server
  2. $ cat .ssh/id_ecdsa_sk.pub >> rootfs/root/.ssh/authorized_keys
  3. $ sudo docker build --tag myssh .
  4. $ sudo docker run -t --rm --name myssh -p 2222:2222 myssh
  5. debug1: sshd version OpenSSH_8.2, OpenSSL 1.1.1d  10 Sep 2019
  6. debug1: private host key #0: ssh-rsa SHA256:z/oEq7K935t9dJ2uDMAELeXFloO0ubYp2zA+oLbLLac
  7. debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:1X/seu5/F4YYXlwz4d/arqBisR0iE9jXFKzeypzgqgM
  8. debug1: private host key #2: ssh-ed25519 SHA256:FT9DIarCeG5p9+1FYSsxXLwmI3wN3jOK+ImjU8oT9PE
  9. debug1: rexec_argv[0]='/usr/sbin/sshd'
  10. debug1: rexec_argv[1]='-Dd'
  11. debug1: Set /proc/self/oom_score_adj from 0 to -1000
  12. debug1: Bind to port 2222 on 0.0.0.0.
  13. Server listening on 0.0.0.0 port 2222.
  14. debug1: Bind to port 2222 on ::.
  15. Server listening on :: port 2222.

Open another terminal and try to login

  1. $ ./openssh/bin/ssh -l user -p 2222 -i .ssh/id_ecdsa_sk localhost
  2. Confirm user presence for key ECDSA-SK SHA256:diHAp8OzNzFDfTr+kLu4RTpSlYggDx7SjF1FdJsJWFY
  4. (...press your Solo key...)
  6. Last login: Mon Mar  2 17:30:37 2020 from ::1
  7. Environment:
  8.   USER=user
  9.   LOGNAME=user
  10.   HOME=/home/user
  11.   PATH=/usr/bin:/bin:/usr/sbin:/sbin:/home/user/openssh/bin
  12.   MAIL=/var/mail/user
  13.   SHELL=/bin/bash
  14.   TERM=xterm-256color
  15.   SSH_CLIENT=::1 47732 2222
  16.   SSH_CONNECTION=::1 47732 ::1 2222
  17.   SSH_TTY=/dev/pts/3

Enjoy with SoloKeys, OpenSSH and FIDO2 U2F!!!