Date: Wed, 6 Jan 2021 12:37:23 -0500 From: mike tancsa <mike@sentex.net> To: Christian Weisgerber <naddy@mips.inka.de>, freebsd-questions@freebsd.org Subject: Re: OpenSSH and U2F Message-ID: <232c5e39-6bfc-2023-a598-da11e5a93759@sentex.net> In-Reply-To: <slrnrvbn6l.255i.naddy@lorvorc.mips.inka.de> References: <50bc8798-1699-5db9-11df-a16ef8abd66f@sentex.net> <slrnrvbn6l.255i.naddy@lorvorc.mips.inka.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/6/2021 10:52 AM, Christian Weisgerber wrote: > On 2021-01-05, mike tancsa <mike@sentex.net> wrote: > >> ssh-keygen -t ecdsa-sk > unknown key type ecdsa-sk OpenSSH has to be installed from the ports with libfido2 Actually, I got farther. I had to adjust the perms on the ugen device. I guess maybe fiddle with devd to automatically do that when it sees the ke= y 0(cage)% fido2-token -L 0000:0006:00: vendor=3D0x1050, product=3D0x0407 (Yubico YubiKey OTP+FIDO+= CCID) 0000:0006:01: vendor=3D0x1050, product=3D0x0407 (Yubico YubiKey OTP+FIDO+= CCID) 0(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: You may need to touch your authenticator (again) to authorize key generation. Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub The key fingerprint is: SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM mdtancsa@cage.simianscience.com The key's randomart image is: +-[ECDSA-SK 256]--+ |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0=C2=A0 .=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0 . o=C2=A0 E.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0 . =3D =3D.+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0 =3D X S+o=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0=C2=A0 * ++..=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0 . o+ .=C2=A0 ... o| |=C2=A0=C2=A0=C2=A0=C2=A0 o++o o+.+o++| |=C2=A0=C2=A0=C2=A0 ..oo*B+.o=3D=3D=3D+| +----[SHA256]-----+ I think I remember coming across some new keygen options on some blog post somewhere.=C2=A0 Anyways, at least a bit of progress so far! 0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost Confirm user presence for key ECDSA-SK SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM Last login: Tue Jan=C2=A0 5 16:24:45 2021 from 127.0.0.1 FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020 Welcome to FreeBSD! 1(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: You may need to touch your authenticator (again) to authorize key generation. Enter file in which to save the key (/home/mdtancsa/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk Your public key has been saved in /home/mdtancsa/.ssh/id_ecdsa_sk.pub The key fingerprint is: SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM mdtancsa@cage.simianscience.com The key's randomart image is: +-[ECDSA-SK 256]--+ |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0=C2=A0 .=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0 . o=C2=A0 E.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0 . =3D =3D.+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0 =3D X S+o=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0=C2=A0 * ++..=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0 . o+ .=C2=A0 ... o| |=C2=A0=C2=A0=C2=A0=C2=A0 o++o o+.+o++| |=C2=A0=C2=A0=C2=A0 ..oo*B+.o=3D=3D=3D+| +----[SHA256]-----+ 0(cage)% cat .ssh/id_ec id_ecdsa_sk=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 id_ecdsa_sk.pub=C2=A0 0(cage)% cat .ssh/id_ecdsa_sk -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2 RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQTleEX7jyCp UwUyIFkuEv5PppVbVzdn8fCz74AIB3Urffw81fpWqcMkakhHJbDT34xP4aqMFsj1uBaZ5c MZXYfAAAAABHNzaDoAAAD4xEyLRMRMi0QAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE5XhF+48gqVMFMiBZLhL+T6aVW1c3Z/Hws+ +ACAd1K338PNX6VqnDJGpIRyWw09+MT+GqjBbI9bgWmeXDGV2HwAAAAARzc2g6AQAAAEBQ yI0/EKfeb+kjn92G9na9HV/RjDQEVqBbX4jjtYtYUOvyicIobwvhQhEbwWQABVU8fdbJVh 13DFCfUokxrPrSAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID BAU=3D -----END OPENSSH PRIVATE KEY----- I now copy that pub key to a test account and ssh to port 24 which has sshd from the ports running 0(cage)% cat .ssh/id_ecdsa_sk.pub sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBB= OV4RfuPIKlTBTIgWS4S/k+mlVtXN2fx8LPvgAgHdSt9/DzV+lapwyRqSEclsNPfjE/hqowWyP= W4Fpnlwxldh8AAAAAEc3NoOg=3D=3D mdtancsa@cage.simianscience.com 0(cage)% /usr/local/bin/ssh -i .ssh/id_ec id_ecdsa_sk=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 id_ecdsa_sk.pub=C2=A0 0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost Confirm user presence for key ECDSA-SK SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM Last login: Tue Jan=C2=A0 5 16:24:45 2021 from 127.0.0.1 FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020 Welcome to FreeBSD! Although the private key is in my account its not 'all of it' from what I understand.=C2=A0 If I pull the Yubico key it immediately fails as expe= cted and goes to passwd auth without delay! 0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost Confirm user presence for key ECDSA-SK SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM sign_and_send_pubkey: signing failed for ECDSA-SK ".ssh/id_ecdsa_sk": invalid format test33@localhost's password: Connect it back to my FreeBSD client (and do a=C2=A0 chmod a+rwx /dev/usb/0.6* as I dont have devd fixed) 0(cage)% /usr/local/bin/ssh -i .ssh/id_ecdsa_sk -p24 test33@localhost Confirm user presence for key ECDSA-SK SHA256:R45iWhPeODjcgftv/Jn1L4bPdDtto67o7ili7aRVTkM Last login: Wed Jan=C2=A0 6 12:19:20 2021 from 127.0.0.1 FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020 Welcome to FreeBSD! =2E.. ugen0.6: <Yubico YubiKey OTP+FIDO+CCID> at usbus0, cfg=3D0 md=3DHOST spd=3DFULL (12Mbps) pwr=3DON (30mA) =C2=A0 bLength =3D 0x0012 =C2=A0 bDescriptorType =3D 0x0001 =C2=A0 bcdUSB =3D 0x0200 =C2=A0 bDeviceClass =3D 0x0000=C2=A0 <Probed by interface class> =C2=A0 bDeviceSubClass =3D 0x0000 =C2=A0 bDeviceProtocol =3D 0x0000 =C2=A0 bMaxPacketSize0 =3D 0x0040 =C2=A0 idVendor =3D 0x1050 =C2=A0 idProduct =3D 0x0407 =C2=A0 bcdDevice =3D 0x0523 =C2=A0 iManufacturer =3D 0x0001=C2=A0 <Yubico> =C2=A0 iProduct =3D 0x0002=C2=A0 <YubiKey OTP+FIDO+CCID> =C2=A0 iSerialNumber =3D 0x0000=C2=A0 <no string> =C2=A0 bNumConfigurations =3D 0x0001 It also works with the cheaper "neo" keys =C2=A0/usr/local/bin/ssh-keygen -t ecdsa-sk -f neo 0(cage)% /usr/local/bin/ssh-keygen -t ecdsa-sk -f neo Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in neo Your public key has been saved in neo.pub The key fingerprint is: SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY mdtancsa@cage.simianscience.com The key's randomart image is: +-[ECDSA-SK 256]--+ |..o=C2=A0=C2=A0=C2=A0=C2=A0 + +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | |.o E . o @ .=C2=A0=C2=A0=C2=A0=C2=A0 | |=C2=A0 + . o * =3D . .=C2=A0 | |=C2=A0=C2=A0 . . B O=C2=A0=C2=A0 o=C2=A0=C2=A0 | |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 * S +=C2=A0=C2=A0 +=C2=A0 | |=C2=A0=C2=A0=C2=A0=C2=A0 o B + . o o | |=C2=A0=C2=A0=C2=A0 . o B=C2=A0=C2=A0 .=C2=A0=C2=A0 +| |=C2=A0=C2=A0=C2=A0=C2=A0 . =3D o=C2=A0=C2=A0=C2=A0=C2=A0 o.| |=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =3Do.=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= .| +----[SHA256]-----+ 0(cage)% 0(cage)% /usr/local/bin/ssh -i neo=C2=A0 -p24 test33@localhost Confirm user presence for key ECDSA-SK SHA256:UarpNVag3uWIRU9/bu9loGBEsrk+Rov4pbsdECgM1sY Last login: Wed Jan=C2=A0 6 12:24:50 2021 from 127.0.0.1 FreeBSD 12.2-STABLE (cage) #1 r368688: Wed Dec 16 01:55:15 EST 2020 Welcome to FreeBSD! 0(cage)% cat neo.pub sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBB= Pwvm6lO3gBiZUxrDlq6VrJHdUIX9pcrfCHhf3w8BFsgguvS4C9IyRLdp4Adz1F64pRJzi51v4= bikQnCyLRIm4QAAAAEc3NoOg=3D=3D mdtancsa@cage.simianscience.com 0(cage)% cat neo -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAfwAAACJzay1lY2 RzYS1zaGEyLW5pc3RwMjU2QG9wZW5zc2guY29tAAAACG5pc3RwMjU2AAAAQQT8L5upTt4A YmVMaw5aulayR3VCF/aXK3wh4X98PARbIILr0uAvSMkS3aeAHc9ReuKUSc4udb+G4pEJws i0SJuEAAAABHNzaDoAAAD4c0kVRXNJFUUAAAAic2stZWNkc2Etc2hhMi1uaXN0cDI1NkBv cGVuc3NoLmNvbQAAAAhuaXN0cDI1NgAAAEEE/C+bqU7eAGJlTGsOWrpWskd1Qhf2lyt8Ie F/fDwEWyCC69LgL0jJEt2ngB3PUXrilEnOLnW/huKRCcLItEibhAAAAARzc2g6AQAAAECD KSUmt55JuyXcAg7x9vaagpth6tLR1QzGHFWqPlFDjzHVSckx25UfsDTwpss/otsyqCRq0P UN4OXOcretpe1ZAAAAAAAAAB9tZHRhbmNzYUBjYWdlLnNpbWlhbnNjaWVuY2UuY29tAQID BAU=3D -----END OPENSSH PRIVATE KEY----- 0(cage)% 0(cage)% fido2-token -L 0000:0006:00: vendor=3D0x1050, product=3D0x0116 (Yubico Yubikey NEO OTP+U2F+CCID) 0000:0006:01: vendor=3D0x1050, product=3D0x0116 (Yubico Yubikey NEO OTP+U2F+CCID) 0(cage)% >> On FreeBSD, I need to enter a PIN via the security/yubikey-agent. > And what have you done to get that far? yubikey-agent -setup >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?232c5e39-6bfc-2023-a598-da11e5a93759>