u2f/fido support in -current

To: current-users%netbsd.org@localhost
Subject: u2f/fido support in -current
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Mon, 2 Mar 2020 20:49:14 -0500

Hi,

I just committed secure token support in -current. You need to cvs update,
recompile the kernel and rebuild userland to get the new packages.

Once you do that and you plug in your token:

$ fido2-token -L
/dev/uhid0: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID)
/dev/uhid1: vendor=0x1ea8, product=0xfc25 (ExcelSecu FIDO2 Security Key)

$ fido2-token -I /dev/uhid0
proto: 0x02
major: 0x05
minor: 0x02
build: 0x04
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE
extension strings: credProtect, hmac-secret
aaguid: XXXXXX
options: rk, up, noplat, noclientPin, credentialMgmtPreview
maxmsgsiz: 1200
pin protocols: 1
pin retries: undefined

$ fido2-token -I /dev/uhid1
proto: 0x02
major: 0x02
minor: 0x00
build: 0x01
caps: 0x05 (wink, cbor, msg)
version strings: U2F_V2, FIDO_2_0
extension strings: hmac-secret
aaguid: XXXXXX
options: rk, up, noplat, noclientPin
maxmsgsiz: 4096
pin protocols: 1
pin retries: undefined

Now you can simply create a new configuration file to use the token for
becoming root:
As root run:
$ pamu2fcfg
Once you touch the token, it will spit out a line which you can add in
/etc/u2f_mappings.
Edit /etc/pam.d/su and uncomment the pam_u2f.so line. Next time you
su, it will prompt you to hit the token to authenticate.

For ssh:

$ ssh-keygen -vvv -t ecdsa-sk

Put the id_ecdsa_sk.pub entry in your authorized_keys
Add the following line in /etc/ssh/sshd_config
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256%openssh.com@localhost,sk-ssh-ed25519%openssh.com@localhost

$ slogin quasar
Confirm user presence for key ECDSA-SK SHA256:gQROjVE4cx1cyyWLZ7tYP2z3Kefc55GJ5bRQidJOkLI
Last login: Tue Mar  3 01:34:58 2020 from 38.117.134.17
NetBSD 9.99.48 (QUASAR) #89: Mon Mar 2 11:59:03 EST 2020

Welcome to NetBSD!

For firefox follow the instructions on the internet. I am currently rebuilding
mine because it core-dumps all the time... so I have not tested it yet.

Enjoy,

christos

Useful pages:

https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html
https://developers.yubico.com/pam-u2f/

Prev by Date: Automated report: NetBSD-current/i386 build failure
Next by Date: daily CVS update output
Previous by Thread: Minor anomaly with -current
Next by Thread: USB keyboard input overrun on EHCI?
Indexes:

Home | Main Index | Thread Index | Old Index