Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenSSH login with your FIDO2 usb security key!
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Voltago
Advocate
Advocate


Joined: 02 Sep 2003
Posts: 2591
Location: userland

PostPosted: Mon Feb 17, 2020 3:15 pm    Post subject: OpenSSH login with your FIDO2 usb security key! Reply with quote

Hi all,

I'd like to signal-boost the fact that openssh-8.2 is now in portage with FIDO2 usb security key support (release notes): You can create a public/private key pair that you can use to login remotely only if you have your security token handy.

[EDIT] Incorporated NeddySeagoon's suggestions, also differentiate between local and remote prerequisites.
[EDIT2] All that udev stuff that was here previously is taken care of now by libfido2-1.3.0-r1. Yay!

Local prerequisites:
Make sure your kernel supports
Code:
CONFIG_USB_HID=y
CONFIG_HIDRAW=y


Local *and* remote prerequisites:
In /etc/portage/package.accept_keywords/
Code:
dev-libs/libcbor
dev-libs/libfido2
net-misc/openssh

or, if you're like me a bit more conservative about ~arch usage:
Code:
=dev-libs/libcbor-0.5*
=dev-libs/libfido2-1.3*
=net-misc/openssh-8.2*

Then install with
Code:
USE="-X509 security-key" emerge =openssh-8.2_p1-r1


Key generation:
Plug in your security key, execute
Code:
ssh-keygen -t ed25519-sk -a 100 -C <your email> -f <output file>

and follow the instructions. Install the resulting key pair like any other, and don't loose that security token.

Caveats:
- As of now, the security-key feature is incompatible with the X509.v3 patch (hence USE=-X509).

- According to the openssh-8.2p1 release notes, there's a no-touch-required option to make it so you don't have to boop your key every time you want to log in. However, I haven't been able to set it up, or even find it properly described in the according man pages, so I'm not sure if it's all there at this point, or perhaps has been stripped out by some patch or other.

- Apparently not all security keys support the ed25519-sk algorithm, however ecdsa-sk should always work for FIDO2 compliant devices.


Last edited by Voltago on Wed Feb 19, 2020 12:42 am; edited 10 times in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 45429
Location: 56N 3W

PostPosted: Mon Feb 17, 2020 3:43 pm    Post subject: Reply with quote

Voltago,

Just a nit or two.

Code:
/etc/portage/package.keyworks/
is deprecated. It still works but portage will shout at you.
Use
Code:
/etc/portage/package.accept_keyworks/
and migrate the old file/directory, if you have it.

Do you really want to keyword versions?
=mostly means you won't get updates. Then portage will shout at you if your versions are removed from the repo.
Its not wrong. Maybe that's what you had in mind so you can drop back to stable when stable comes along.

Code:
dev-libs/libcbor
dev-libs/libfido2
net-misc/openssh
gets you ~ARCH versions for whatever your ARCH is.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Voltago
Advocate
Advocate


Joined: 02 Sep 2003
Posts: 2591
Location: userland

PostPosted: Mon Feb 17, 2020 3:53 pm    Post subject: Reply with quote

Neddy,

thanks for the heads-up, wasn't aware of the deprecation (portage isn't shouting at me yet over this, or perhaps isn't shouting loud enough). As for keywording versions, that's what I usually do, as you've pointed out with the expectation that at some point those packages get stabilized and I'll just delete the keywords file. I prefer the occasional portage-shouting-at-me when a version jump comes before stabilization to using ~arch versions indefinitely.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 45429
Location: 56N 3W

PostPosted: Mon Feb 17, 2020 4:37 pm    Post subject: Reply with quote

Voltago,

I'm all testing here, I get to see what's coming.

Code:
$ emerge -p @system
/usr/lib64/python3.6/site-packages/portage/package/ebuild/_config/KeywordsManager.py:70: UserWarning: /etc/portage/package.keywords is deprecated, use /etc/portage/package.accept_keywords instead
  UserWarning)


That's from sys-apps/portage-2.3.89.
I haven't fixed my systems yet :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 2126
Location: Frankfurt, Germany

PostPosted: Mon Feb 17, 2020 4:42 pm    Post subject: Reply with quote

You may want to read the comments after the LWN article: https://lwn.net/Articles/812537/.
Back to top
View user's profile Send private message
Voltago
Advocate
Advocate


Joined: 02 Sep 2003
Posts: 2591
Location: userland

PostPosted: Mon Feb 17, 2020 7:57 pm    Post subject: Reply with quote

mike155 wrote:
You may want to read the comments after the LWN article: https://lwn.net/Articles/812537/.

Any particular comment you'd like to draw attention to?
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 2126
Location: Frankfurt, Germany

PostPosted: Mon Feb 17, 2020 9:12 pm    Post subject: Reply with quote

Quote:
Any particular comment you'd like to draw attention to?

The fourth group of comments (started by 'luto') talks about 2FA with U2F/FIDO2 keys. One of the OpenSSL developers (djm) participates. He promises to add support for PIN-protected U2F keys for openssh-8.3, which would be nice.
Back to top
View user's profile Send private message
Voltago
Advocate
Advocate


Joined: 02 Sep 2003
Posts: 2591
Location: userland

PostPosted: Tue Feb 18, 2020 4:25 pm    Post subject: Reply with quote

mike155 wrote:
Quote:
Any particular comment you'd like to draw attention to?

The fourth group of comments (started by 'luto') talks about 2FA with U2F/FIDO2 keys. One of the OpenSSL developers (djm) participates. He promises to add support for PIN-protected U2F keys for openssh-8.3, which would be nice.

Does that refer to PIN entry on a pin-pad USB token, or to the PIN you can assign to your key? In the latter case, I'm not sure what the advantage over using a passphrase for your public/private key pair would be.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum