OpenSSH and U2F
mike tancsa
mike at sentex.net
Wed Jan 6 17:37:32 UTC 2021
On 1/6/2021 10:52 AM, Christian Weisgerber wrote:
> On 2021-01-05, mike tancsa <mike at sentex.net> wrote:
>
>> ssh-keygen -t ecdsa-sk
> unknown key type ecdsa-sk
OpenSSH has to be installed from the ports with libfido2
Actually, I got farther. I had to adjust the perms on the ugen device. I
guess maybe fiddle with devd to automatically do that when it sees the key
0(cage)% fido2-token -L
0000:0006:00: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
0000:0006:01: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
0(cage)%
/usr/local/bin/ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key
generation.
Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk
Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
mdtancsa at cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
| |
| . |
| . o E. |
| . = =.+ |
| = X S+o |
| * ++.. |
| . o+ . ... o|
| o++o o+.+o++|
| ..oo*B+.o===+|
+----[SHA256]-----+
I think I remember coming across some new keygen options on some blog
post somewhere. Anyways, at least a bit of progress so far!
0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Tue Jan 5 16:24:45 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020
Welcome to FreeBSD!
1(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key
generation.
Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk
Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
mdtancsa at cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
| |
| . |
| . o E. |
| . = =.+ |
| = X S+o |
| * ++.. |
| . o+ . ... o|
| o++o o+.+o++|
| ..oo*B+.o===+|
+----[SHA256]-----+
0(cage)% cat .ssh/id_ec
id_ecdsa_sk id_ecdsa_sk.pub
0(cage)% cat .ssh/id_ecdsa_sk
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQTleEX7jyCp
UwUyIFkuEv5PppVbVzdn8fCz74AIB3Urffw81fpWqcMkakhHJbDT34xP4aqMFsj1uBaZ5c
MZXYfAAAAABHNzaDoAAAD4xEyLRMRMi0QAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE5XhF+48gqVMFMiBZLhL+T6aVW1c3Z/Hws+
+ACAd1K338PNX6VqnDJGpIRyWw09+MT+GqjBbI9bgWmeXDGV2HwAAAAARzc2g6AQAAAEBQ
yI0/EKfeb+kjn92G9na9HV/RjDQEVqBbX4jjtYtYUOvyicIobwvhQhEbwWQABVU8fdbJVh
13DFCfUokxrPrSAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID
BAU=
-----END OPENSSH PRIVATE KEY-----
I now copy that pub key to a test account and ssh to port 24 which has
sshd from the ports running
0(cage)% cat .ssh/id_ecdsa_sk.pub
sk-ecdsa-sha2-nistp256 at openssh.com
AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBOV4RfuPIKlTBTIgWS4S/k+mlVtXN2fx8LPvgAgHdSt9/DzV+lapwyRqSEclsNPfjE/hqowWyPW4Fpnlwxldh8AAAAAEc3NoOg==
mdtancsa at cage.simianscience.com
0(cage)% /usr/local/bin/ssh -i .ssh/id_ec
id_ecdsa_sk id_ecdsa_sk.pub
0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Tue Jan 5 16:24:45 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020
Welcome to FreeBSD!
Although the private key is in my account its not 'all of it' from what
I understand. If I pull the Yubico key it immediately fails as expected
and goes to passwd auth without delay!
0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
sign_and_send_pubkey: signing failed for ECDSA-SK ".ssh/id_ecdsa_sk":
invalid format
test33 at localhost's password:
Connect it back to my FreeBSD client (and do a chmod a+rwx
/dev/usb/0.6* as I dont have devd fixed)
0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Wed Jan 6 12:19:20 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020
Welcome to FreeBSD!
...
ugen0.6: <Yubico YubiKey OTP+FIDO+CCID> at usbus0, cfg=0 md=HOST
spd=FULL (12Mbps) pwr=ON (30mA)
bLength = 0x0012
bDescriptorType = 0x0001
bcdUSB = 0x0200
bDeviceClass = 0x0000 <Probed by interface class>
bDeviceSubClass = 0x0000
bDeviceProtocol = 0x0000
bMaxPacketSize0 = 0x0040
idVendor = 0x1050
idProduct = 0x0407
bcdDevice = 0x0523
iManufacturer = 0x0001 <Yubico>
iProduct = 0x0002 <YubiKey OTP+FIDO+CCID>
iSerialNumber = 0x0000 <no string>
bNumConfigurations = 0x0001
It also works with the cheaper "neo" keys
/usr/local/bin/ssh-keygen -t ecdsa-sk -f neo
0(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk -f neo
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in neo
Your public key has been saved in neo.pub
The key fingerprint is:
SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY
mdtancsa at cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
|..o + + |
|.o E . o @ . |
| + . o * = . . |
| . . B O o |
| * S + + |
| o B + . o o |
| . o B . +|
| . = o o.|
| =o. .|
+----[SHA256]-----+
0(cage)%
0(cage)% /usr/local/bin/ssh -i neo -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY
Last login: Wed Jan 6 12:24:50 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020
Welcome to FreeBSD!
0(cage)% cat neo.pub
sk-ecdsa-sha2-nistp256 at openssh.com
AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPwvm6lO3gBiZUxrDlq6VrJHdUIX9pcrfCHhf3w8BFsgguvS4C9IyRLdp4Adz1F64pRJzi51v4bikQnCyLRIm4QAAAAEc3NoOg==
mdtancsa at cage.simianscience.com
0(cage)% cat neo
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQT8L5upTt4A
YmVMaw5aulayR3VCF/aXK3wh4X98PARbIILr0uAvSMkS3aeAHc9ReuKUSc4udb+G4pEJws
i0SJuEAAAABHNzaDoAAAD4c0kVRXNJFUUAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE/C+bqU7eAGJlTGsOWrpWskd1Qhf2lyt8Ie
F/fDwEWyCC69LgL0jJEt2ngB3PUXrilEnOLnW/huKRCcLItEibhAAAAARzc2g6AQAAAECD
KSUmt55JuyXcAg7x9vaagpth6tLR1QzGHFWqPlFDjzHVSckx25UfsDTwpss/otsyqCRq0P
UN4OXOcretpe1ZAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID
BAU=
-----END OPENSSH PRIVATE KEY-----
0(cage)%
0(cage)% fido2-token -L
0000:0006:00: vendor=0x1050, product=0x0116 (Yubico Yubikey NEO
OTP+U2F+CCID)
0000:0006:01: vendor=0x1050, product=0x0116 (Yubico Yubikey NEO
OTP+U2F+CCID)
0(cage)%
>> On FreeBSD, I need to enter a PIN via the security/yubikey-agent.
> And what have you done to get that far?
yubikey-agent -setup
>
More information about the freebsd-questions
mailing list