Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 6 Jan 2021 12:37:23 -0500
From:      mike tancsa <mike@sentex.net>
To:        Christian Weisgerber <naddy@mips.inka.de>, freebsd-questions@freebsd.org
Subject:   Re: OpenSSH and U2F
Message-ID:  <232c5e39-6bfc-2023-a598-da11e5a93759@sentex.net>
In-Reply-To: <slrnrvbn6l.255i.naddy@lorvorc.mips.inka.de>
References:  <50bc8798-1699-5db9-11df-a16ef8abd66f@sentex.net> <slrnrvbn6l.255i.naddy@lorvorc.mips.inka.de>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 1/6/2021 10:52 AM, Christian Weisgerber wrote:
> On 2021-01-05, mike tancsa <mike@sentex.net> wrote:
>
>> ssh-keygen -t ecdsa-sk
> unknown key type ecdsa-sk

OpenSSH has to be installed from the ports with libfido2

Actually, I got farther. I had to adjust the perms on the ugen device. I
guess maybe fiddle with devd to automatically do that when it sees the ke=
y

0(cage)% fido2-token -L
0000:0006:00: vendor=3D0x1050, product=3D0x0407 (Yubico YubiKey OTP+FIDO+=
CCID)
0000:0006:01: vendor=3D0x1050, product=3D0x0407 (Yubico YubiKey OTP+FIDO+=
CCID)
0(cage)%

/usr/local/bin/ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key
generation.
Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk
Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
mdtancsa@cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
|=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0=C2=A0 .=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0 . o=C2=A0 E.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0 . =3D =3D.+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0 =3D X S+o=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0=C2=A0 * ++..=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0 . o+ .=C2=A0 ... o|
|=C2=A0=C2=A0=C2=A0=C2=A0 o++o o+.+o++|
|=C2=A0=C2=A0=C2=A0 ..oo*B+.o=3D=3D=3D+|

+----[SHA256]-----+

I think I remember coming across some new keygen options on some blog
post somewhere.=C2=A0 Anyways, at least a bit of progress so far!


0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Tue Jan=C2=A0 5 16:24:45 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!


1(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key
generation.
Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk
Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
mdtancsa@cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
|=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0=C2=A0 .=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0 . o=C2=A0 E.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0 . =3D =3D.+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0 =3D X S+o=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0=C2=A0 * ++..=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0 . o+ .=C2=A0 ... o|
|=C2=A0=C2=A0=C2=A0=C2=A0 o++o o+.+o++|
|=C2=A0=C2=A0=C2=A0 ..oo*B+.o=3D=3D=3D+|
+----[SHA256]-----+
0(cage)% cat .ssh/id_ec
id_ecdsa_sk=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 id_ecdsa_sk.pub=C2=A0
0(cage)% cat .ssh/id_ecdsa_sk
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQTleEX7jyCp
UwUyIFkuEv5PppVbVzdn8fCz74AIB3Urffw81fpWqcMkakhHJbDT34xP4aqMFsj1uBaZ5c
MZXYfAAAAABHNzaDoAAAD4xEyLRMRMi0QAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE5XhF+48gqVMFMiBZLhL+T6aVW1c3Z/Hws+
+ACAd1K338PNX6VqnDJGpIRyWw09+MT+GqjBbI9bgWmeXDGV2HwAAAAARzc2g6AQAAAEBQ
yI0/EKfeb+kjn92G9na9HV/RjDQEVqBbX4jjtYtYUOvyicIobwvhQhEbwWQABVU8fdbJVh
13DFCfUokxrPrSAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID
BAU=3D
-----END OPENSSH PRIVATE KEY-----


I now copy that pub key to a test account and ssh to port 24 which has
sshd from the ports running


0(cage)% cat .ssh/id_ecdsa_sk.pub
sk-ecdsa-sha2-nistp256@openssh.com
AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBB=
OV4RfuPIKlTBTIgWS4S/k+mlVtXN2fx8LPvgAgHdSt9/DzV+lapwyRqSEclsNPfjE/hqowWyP=
W4Fpnlwxldh8AAAAAEc3NoOg=3D=3D
mdtancsa@cage.simianscience.com
0(cage)% /usr/local/bin/ssh -i .ssh/id_ec
id_ecdsa_sk=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 id_ecdsa_sk.pub=C2=A0
0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Tue Jan=C2=A0 5 16:24:45 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!

Although the private key is in my account its not 'all of it' from what
I understand.=C2=A0 If I pull the Yubico key it immediately fails as expe=
cted
and goes to passwd auth without delay!

0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
sign_and_send_pubkey: signing failed for ECDSA-SK ".ssh/id_ecdsa_sk":
invalid format
test33@localhost's password:

Connect it back to my FreeBSD client (and do a=C2=A0 chmod a+rwx
/dev/usb/0.6* as I dont have devd fixed)

0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost
Confirm user presence for key ECDSA-SK
SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM
Last login: Wed Jan=C2=A0 6 12:19:20 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!


=2E..


ugen0.6: <Yubico YubiKey OTP+FIDO+CCID> at usbus0, cfg=3D0 md=3DHOST
spd=3DFULL (12Mbps) pwr=3DON (30mA)

=C2=A0 bLength =3D 0x0012
=C2=A0 bDescriptorType =3D 0x0001
=C2=A0 bcdUSB =3D 0x0200
=C2=A0 bDeviceClass =3D 0x0000=C2=A0 <Probed by interface class>
=C2=A0 bDeviceSubClass =3D 0x0000
=C2=A0 bDeviceProtocol =3D 0x0000
=C2=A0 bMaxPacketSize0 =3D 0x0040
=C2=A0 idVendor =3D 0x1050
=C2=A0 idProduct =3D 0x0407
=C2=A0 bcdDevice =3D 0x0523
=C2=A0 iManufacturer =3D 0x0001=C2=A0 <Yubico>
=C2=A0 iProduct =3D 0x0002=C2=A0 <YubiKey OTP+FIDO+CCID>
=C2=A0 iSerialNumber =3D 0x0000=C2=A0 <no string>
=C2=A0 bNumConfigurations =3D 0x0001


It also works with the cheaper "neo" keys

=C2=A0/usr/local/bin/ssh-keygen -t ecdsa-sk -f neo

0(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk -f neo
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in neo
Your public key has been saved in neo.pub
The key fingerprint is:
SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY
mdtancsa@cage.simianscience.com
The key's randomart image is:
+-[ECDSA-SK 256]--+
|..o=C2=A0=C2=A0=C2=A0=C2=A0 + +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |
|.o E . o @ .=C2=A0=C2=A0=C2=A0=C2=A0 |
|=C2=A0 + . o * =3D . .=C2=A0 |
|=C2=A0=C2=A0 . . B O=C2=A0=C2=A0 o=C2=A0=C2=A0 |
|=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 * S +=C2=A0=C2=A0 +=C2=A0 |
|=C2=A0=C2=A0=C2=A0=C2=A0 o B + . o o |
|=C2=A0=C2=A0=C2=A0 . o B=C2=A0=C2=A0 .=C2=A0=C2=A0 +|
|=C2=A0=C2=A0=C2=A0=C2=A0 . =3D o=C2=A0=C2=A0=C2=A0=C2=A0 o.|
|=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3Do.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
 .|
+----[SHA256]-----+
0(cage)%

0(cage)% /usr/local/bin/ssh -i neo=C2=A0 -p24 test33@localhost
Confirm user presence for key ECDSA-SK
SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY
Last login: Wed Jan=C2=A0 6 12:24:50 2021 from 127.0.0.1
FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020

Welcome to FreeBSD!

0(cage)% cat neo.pub
sk-ecdsa-sha2-nistp256@openssh.com
AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBB=
Pwvm6lO3gBiZUxrDlq6VrJHdUIX9pcrfCHhf3w8BFsgguvS4C9IyRLdp4Adz1F64pRJzi51v4=
bikQnCyLRIm4QAAAAEc3NoOg=3D=3D
mdtancsa@cage.simianscience.com
0(cage)% cat neo
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2
RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQT8L5upTt4A
YmVMaw5aulayR3VCF/aXK3wh4X98PARbIILr0uAvSMkS3aeAHc9ReuKUSc4udb+G4pEJws
i0SJuEAAAABHNzaDoAAAD4c0kVRXNJFUUAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv
cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE/C+bqU7eAGJlTGsOWrpWskd1Qhf2lyt8Ie
F/fDwEWyCC69LgL0jJEt2ngB3PUXrilEnOLnW/huKRCcLItEibhAAAAARzc2g6AQAAAECD
KSUmt55JuyXcAg7x9vaagpth6tLR1QzGHFWqPlFDjzHVSckx25UfsDTwpss/otsyqCRq0P
UN4OXOcretpe1ZAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID
BAU=3D
-----END OPENSSH PRIVATE KEY-----
0(cage)%

0(cage)% fido2-token -L
0000:0006:00: vendor=3D0x1050, product=3D0x0116 (Yubico Yubikey NEO
OTP+U2F+CCID)
0000:0006:01: vendor=3D0x1050, product=3D0x0116 (Yubico Yubikey NEO
OTP+U2F+CCID)
0(cage)%



>> On FreeBSD, I need to enter a PIN via the security/yubikey-agent.
> And what have you done to get that far?

yubikey-agent -setup

>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?232c5e39-6bfc-2023-a598-da11e5a93759>