Zuwa OpenSSH codebase goyan bayan gwaji don tabbatar da abubuwa biyu ta amfani da na'urorin da ke goyan bayan ƙa'idar , wanda kawancen ya bunkasa . U2F yana ba da damar ƙirƙirar alamun kayan masarufi masu rahusa don tabbatar da kasancewar mai amfani ta zahiri, yin mu'amala da su ta USB, Bluetooth ko NFC. Irin waɗannan na'urori ana haɓaka su azaman hanyar tabbatar da abubuwa biyu akan gidajen yanar gizo, manyan masu bincike sun riga sun sami goyan bayan kuma masana'antun daban-daban ke samarwa, gami da Yubico, Feitian, Thetis da Kensington.
Don yin hulɗa tare da na'urorin da ke tabbatar da kasancewar mai amfani, an ƙara sabon nau'in maɓalli zuwa OpenSSH"[email kariya]"("ecdsa-sk"), wanda ke amfani da ECDSA (Elliptic Curve Digital Signature Algorithm) na dijital sa hannu algorithm tare da NIST P-256 elliptic curve da SHA-256 hash. Ana sanya hanyoyin yin hulɗa tare da alamu a cikin ɗakin karatu na matsakaici, wanda aka ɗora a cikin irin wannan hanya zuwa ɗakin karatu don goyon bayan PKCS#11 kuma shi ne nannade a saman ɗakin karatu. , wanda ke ba da kayan aiki don sadarwa tare da alamu akan USB (FIDO U2F / CTAP 1 da FIDO 2.0 / CTAP 2 ladabi suna goyon bayan). Matsakaicin ɗakin karatu libsk-libfido2 wanda masu haɓakawa na OpenSSH suka shirya cikin ainihin libfido2, haka kuma don OpenBSD.
Don kunna U2F, zaku iya amfani da sabon yanki na codebase daga OpenSSH da reshen HEAD na ɗakin karatu , wanda ya riga ya haɗa da Layer da ake bukata don OpenSSH.
Libfido2 yana goyan bayan OpenBSD, Linux, macOS da Windows.
Don tantancewa da samar da maɓalli, kuna buƙatar saita canjin yanayi na SSH_SK_PROVIDER, yana nuna a cikinsa hanyar zuwa libsk-libfido2.so (fitar da SSH_SK_PROVIDER=/hanya/to/libsk-libfido2.so), ko ayyana ɗakin karatu ta hanyar TsaroKeyProvider. saitin, sa'an nan kuma gudanar da "ssh-keygen -t ecdsa-sk" ko, idan an riga an ƙirƙiri maɓallan kuma an daidaita su, haɗa zuwa uwar garken ta amfani da "ssh". Lokacin da kake gudanar da ssh-keygen, za a adana nau'in maɓallin biyu da aka ƙirƙira a cikin "~/.ssh/id_ecdsa_sk" kuma ana iya amfani da su kamar sauran maɓallan.
Maɓallin jama'a (id_ecdsa_sk.pub) yakamata a kwafi zuwa uwar garken a cikin fayil ɗin_keys mai izini. A gefen uwar garken, sa hannu na dijital kawai aka tabbatar, kuma ana yin hulɗa tare da alamu a gefen abokin ciniki (ba kwa buƙatar shigar da libsk-libfido2 akan uwar garken, amma uwar garken dole ne ta goyi bayan nau'in maɓallin "ecdsa-sk") . Maɓallin keɓaɓɓen da aka ƙirƙira (id_ecdsa_sk) ainihin maɓalli ne, yana ƙirƙirar maɓalli na gaske kawai a hade tare da jerin sirrin da aka adana a gefen alamar U2F.
Idan maɓallin id_ecdsa_sk ya fada hannun maharin, don ƙaddamar da tantancewa zai kuma buƙaci samun damar yin amfani da alamar kayan aikin, idan ba tare da abin sirrin da aka adana a cikin fayil ɗin id_ecdsa_sk ba ya da amfani. Bugu da ƙari, ta hanyar tsoho, lokacin yin kowane aiki tare da maɓalli (duka lokacin tsarawa da lokacin tantancewa), ana buƙatar tabbatar da gida na kasancewar mai amfani, alal misali, an ba da shawarar taɓa firikwensin akan alamar, wanda ya sa ya zama da wahala. kai hare-hare na nisa akan tsarin tare da haɗin haɗin gwiwa. A matsayin wani layin tsaro, ana iya ƙayyade kalmar sirri yayin lokacin farawa na ssh-keygen don samun damar fayil ɗin maɓallin.
Ana iya ƙara maɓallin U2F zuwa wakilin ssh ta hanyar "ssh-add ~/.ssh/id_ecdsa_sk", amma ssh-agent dole ne a gina shi tare da goyan bayan maɓallan "ecdsa-sk", Layer libsk-libfido2 dole ne ya kasance kuma dole ne wakili ya kasance yana gudana akan tsarin, wanda aka haɗa alamar.
Wani sabon nau'in maɓalli "ecdsa-sk" an ƙara shi tun da tsarin maɓallan OpenSSH ecdsa ya bambanta da tsarin U2F don sa hannun dijital na ECDSA a gaban ƙarin filayen.
source: budenet.ru