src - FreeBSD source tree

diff options

author	Ed Maste <emaste@FreeBSD.org>	2021-10-07 03:31:17 +0000
committer	Ed Maste <emaste@FreeBSD.org>	2021-11-04 17:01:44 +0000
commit	e9a994639b2af232f994ba2ad23ca45a17718d2b (patch)
tree	65b5b0e637f0c9edc230382afea43e73b3976dfb /crypto
parent	305ef653bcf349c7dea83c90add6f2d97910e545 (diff)
download	src-e9a994639b2af232f994ba2ad23ca45a17718d2b.tar.gz src-e9a994639b2af232f994ba2ad23ca45a17718d2b.zip

ssh: enable FIDO/U2F keys

Description of FIDO/U2F support (from OpenSSH 8.2 release notes, https://www.openssh.com/txt/release-8.2): This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types "ecdsa-sk" and "ed25519-sk", along with corresponding certificate types. ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them. Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation: $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used. To enable FIDO/U2F support, this change regenerates ssh_namespace.h, adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building WITHOUT_USB). devd integration is not included in this change, and is under investigation for the base system. In the interim the security/u2f-devd port can be installed to provide appropriate devd rules. Reviewed by: delphij, kevans Relnotes: Yes Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32509

Diffstat (limited to 'crypto')

-rw-r--r--

crypto/openssh/ssh_namespace.h

1 files changed, 12 insertions, 0 deletions


context:
space:
mode: