OpenSSH and U2F

mike tancsa mike at sentex.net
Wed Jan 6 17:37:32 UTC 2021


On 1/6/2021 10:52 AM, Christian Weisgerber wrote:
> On 2021-01-05, mike tancsa <mike at sentex.net> wrote:
>
>> ssh-keygen -t ecdsa-sk
> unknown key type ecdsa-sk

OpenSSH has to be installed from the ports with libfido2

Actually, I got farther. I had to adjust the perms on the ugen device. I
guess maybe fiddle with devd to automatically do that when it sees the key

0(cage)% fido2-token -L
0000:0006:00: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
0000:0006:01: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
0(cage)%

/usr/local/bin/ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key
generation.
Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk
Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
mdtancsa at cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
|                 |
|     .           |
|    . o  E.      |
|   . = =.+       |
|    = X S+o      |
|     * ++..      |
|    . o+ .  ... o|
|     o++o o+.+o++|
|    ..oo*B+.o===+|

+----[SHA256]-----+

I think I remember coming across some new keygen options on some blog
post somewhere.  Anyways, at least a bit of progress so far!


0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Tue Jan  5 16:24:45 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!


1(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key
generation.
Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk
Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
mdtancsa at cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
|                 |
|     .           |
|    . o  E.      |
|   . = =.+       |
|    = X S+o      |
|     * ++..      |
|    . o+ .  ... o|
|     o++o o+.+o++|
|    ..oo*B+.o===+|
+----[SHA256]-----+
0(cage)% cat .ssh/id_ec
id_ecdsa_sk      id_ecdsa_sk.pub 
0(cage)% cat .ssh/id_ecdsa_sk
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQTleEX7jyCp
UwUyIFkuEv5PppVbVzdn8fCz74AIB3Urffw81fpWqcMkakhHJbDT34xP4aqMFsj1uBaZ5c
MZXYfAAAAABHNzaDoAAAD4xEyLRMRMi0QAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE5XhF+48gqVMFMiBZLhL+T6aVW1c3Z/Hws+
+ACAd1K338PNX6VqnDJGpIRyWw09+MT+GqjBbI9bgWmeXDGV2HwAAAAARzc2g6AQAAAEBQ
yI0/EKfeb+kjn92G9na9HV/RjDQEVqBbX4jjtYtYUOvyicIobwvhQhEbwWQABVU8fdbJVh
13DFCfUokxrPrSAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID
BAU=
-----END OPENSSH PRIVATE KEY-----


I now copy that pub key to a test account and ssh to port 24 which has
sshd from the ports running


0(cage)% cat .ssh/id_ecdsa_sk.pub
sk-ecdsa-sha2-nistp256 at openssh.com
AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBOV4RfuPIKlTBTIgWS4S/k+mlVtXN2fx8LPvgAgHdSt9/DzV+lapwyRqSEclsNPfjE/hqowWyPW4Fpnlwxldh8AAAAAEc3NoOg==
mdtancsa at cage.simianscience.com
0(cage)% /usr/local/bin/ssh -i .ssh/id_ec
id_ecdsa_sk      id_ecdsa_sk.pub 
0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Tue Jan  5 16:24:45 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!

Although the private key is in my account its not 'all of it' from what
I understand.  If I pull the Yubico key it immediately fails as expected
and goes to passwd auth without delay!

0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
sign_and_send_pubkey: signing failed for ECDSA-SK ".ssh/id_ecdsa_sk":
invalid format
test33 at localhost's password:

Connect it back to my FreeBSD client (and do a  chmod a+rwx
/dev/usb/0.6* as I dont have devd fixed)

0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Wed Jan  6 12:19:20 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!


...


ugen0.6: <Yubico YubiKey OTP+FIDO+CCID> at usbus0, cfg=0 md=HOST
spd=FULL (12Mbps) pwr=ON (30mA)

  bLength = 0x0012
  bDescriptorType = 0x0001
  bcdUSB = 0x0200
  bDeviceClass = 0x0000  <Probed by interface class>
  bDeviceSubClass = 0x0000
  bDeviceProtocol = 0x0000
  bMaxPacketSize0 = 0x0040
  idVendor = 0x1050
  idProduct = 0x0407
  bcdDevice = 0x0523
  iManufacturer = 0x0001  <Yubico>
  iProduct = 0x0002  <YubiKey OTP+FIDO+CCID>
  iSerialNumber = 0x0000  <no string>
  bNumConfigurations = 0x0001


It also works with the cheaper "neo" keys

 /usr/local/bin/ssh-keygen -t ecdsa-sk -f neo

0(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk -f neo
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in neo
Your public key has been saved in neo.pub
The key fingerprint is:
SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY
mdtancsa at cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
|..o     + +      |
|.o E . o @ .     |
|  + . o * = . .  |
|   . . B O   o   |
|      * S +   +  |
|     o B + . o o |
|    . o B   .   +|
|     . = o     o.|
|      =o.       .|
+----[SHA256]-----+
0(cage)%

0(cage)% /usr/local/bin/ssh -i neo  -p24 test33 at localhost
Confirm user presence for key ECDSA-SK
SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY
Last login: Wed Jan  6 12:24:50 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!

0(cage)% cat neo.pub
sk-ecdsa-sha2-nistp256 at openssh.com
AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBPwvm6lO3gBiZUxrDlq6VrJHdUIX9pcrfCHhf3w8BFsgguvS4C9IyRLdp4Adz1F64pRJzi51v4bikQnCyLRIm4QAAAAEc3NoOg==
mdtancsa at cage.simianscience.com
0(cage)% cat neo
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQT8L5upTt4A
YmVMaw5aulayR3VCF/aXK3wh4X98PARbIILr0uAvSMkS3aeAHc9ReuKUSc4udb+G4pEJws
i0SJuEAAAABHNzaDoAAAD4c0kVRXNJFUUAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE/C+bqU7eAGJlTGsOWrpWskd1Qhf2lyt8Ie
F/fDwEWyCC69LgL0jJEt2ngB3PUXrilEnOLnW/huKRCcLItEibhAAAAARzc2g6AQAAAECD
KSUmt55JuyXcAg7x9vaagpth6tLR1QzGHFWqPlFDjzHVSckx25UfsDTwpss/otsyqCRq0P
UN4OXOcretpe1ZAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID
BAU=
-----END OPENSSH PRIVATE KEY-----
0(cage)%

0(cage)% fido2-token -L
0000:0006:00: vendor=0x1050, product=0x0116 (Yubico Yubikey NEO
OTP+U2F+CCID)
0000:0006:01: vendor=0x1050, product=0x0116 (Yubico Yubikey NEO
OTP+U2F+CCID)
0(cage)%



>> On FreeBSD, I need to enter a PIN via the security/yubikey-agent.
> And what have you done to get that far?

yubikey-agent -setup

>



More information about the freebsd-questions mailing list