Rau OpenSSH codebase kev sim txhawb rau ob qhov kev lees paub tseeb uas siv cov khoom siv uas txhawb nqa cov txheej txheem , tsim los ntawm kev sib koom tes . U2F tso cai rau kev tsim cov cuab yeej siv hluav taws xob qis los txheeb xyuas tus neeg siv lub cev, cuam tshuam nrog lawv ntawm USB, Bluetooth lossis NFC. Cov cuab yeej zoo li no tau nce qib raws li ib qho kev lees paub ntawm ob qhov kev lees paub ntawm cov vev xaib, twb tau txais kev txhawb nqa los ntawm cov browsers loj thiab tau tsim los ntawm ntau lub tuam txhab, suav nrog Yubico, Feitian, Thetis thiab Kensington.
Txhawm rau cuam tshuam nrog cov khoom siv uas paub meej tias muaj tus neeg siv, hom tshiab ntawm cov yuam sij tau ntxiv rau OpenSSH "[email tiv thaiv]β (βecdsa-skβ), uas siv ECDSA (Elliptic Curve Digital Signature Algorithm) digital kos npe algorithm nrog NIST P-256 elliptic nkhaus thiab SHA-256 hash. Cov txheej txheem rau kev cuam tshuam nrog cov tokens tau muab tso rau hauv lub tsev qiv ntawv nruab nrab, uas tau thauj khoom zoo ib yam li lub tsev qiv ntawv rau PKCS # 11 kev txhawb nqa thiab yog qhwv rau saum lub tsev qiv ntawv , uas muab cov cuab yeej rau kev sib txuas lus nrog tokens dhau USB (FIDO U2F / CTAP 1 thiab FIDO 2.0 / CTAP 2 raws tu qauv tau txais kev txhawb nqa). Cov tsev qiv ntawv nruab nrab libsk-libfido2 npaj los ntawm OpenSSH cov neeg tsim khoom rau hauv cov tub ntxhais libfido2, thiab rau OpenBSD.
Txhawm rau pab U2F, koj tuaj yeem siv daim ntawv tshiab ntawm codebase los ntawm OpenSSH thiab HEAD ceg ntawm lub tsev qiv ntawv , uas twb suav nrog txheej tsim nyog rau OpenSSH.
Libfido2 txhawb nqa OpenBSD, Linux, macOS thiab Windows.
Txhawm rau txheeb xyuas thiab tsim tus yuam sij, koj yuav tsum teeb tsa SSH_SK_PROVIDER ib puag ncig hloov pauv, qhia hauv nws txoj hauv kev mus rau libsk-libfido2.so (export SSH_SK_PROVIDER = / path/to/libsk-libfido2.so), lossis txhais lub tsev qiv ntawv los ntawm SecurityKeyProvider teeb tsa, thiab tom qab ntawd khiav "ssh- keygen -t ecdsa-sk" lossis, yog tias cov yuam sij twb tau tsim thiab teeb tsa, txuas mus rau lub server siv "ssh". Thaum koj khiav ssh-keygen, tus khub tseem ceeb tsim tawm yuav raug cawm hauv "~/.ssh/id_ecdsa_sk" thiab tuaj yeem siv zoo ib yam li lwm tus yuam sij.
Tus yuam sij pej xeem (id_ecdsa_sk.pub) yuav tsum tau theej rau lub server hauv cov ntaub ntawv tso cai_keys. Nyob rau sab server, tsuas yog kos npe digital tau txheeb xyuas, thiab kev cuam tshuam nrog tokens yog ua rau ntawm tus neeg siv khoom (koj tsis tas yuav nruab libsk-libfido2 ntawm lub server, tab sis tus neeg rau zaub mov yuav tsum txhawb "ecdsa-sk" hom tseem ceeb) . Tus yuam sij ntiag tug generated (id_ecdsa_sk) yog qhov tseem ceeb ntawm qhov tseem ceeb, tsim tus yuam sij tiag tiag nkaus xwb hauv kev sib txuas nrog cov lus zais cia ntawm U2F token sab.
Yog hais tias tus yuam sij id_ecdsa_sk poob rau hauv txhais tes ntawm tus neeg tawm tsam, kom dhau qhov kev lees paub nws kuj yuav tsum tau nkag mus rau cov khoom siv token, yam tsis muaj tus yuam sij ntiag tug khaws cia hauv id_ecdsa_sk cov ntaub ntawv tsis muaj txiaj ntsig. Tsis tas li ntawd, los ntawm lub neej ntawd, thaum ua txhua yam haujlwm nrog cov yuam sij (ob qho tib si thaum lub sijhawm tsim thiab thaum muaj kev lees paub), kev lees paub hauv cheeb tsam ntawm tus neeg siv lub cev lub cev yog xav tau, piv txwv li, nws tau thov kom kov lub sensor ntawm lub token, uas ua rau nws nyuaj rau nqa tawm kev tawm tsam tej thaj chaw deb ntawm lub tshuab nrog lub token txuas. Raws li lwm txoj kab ntawm kev tiv thaiv, tus password kuj tuaj yeem raug teev thaum lub sijhawm pib ntawm ssh-keygen kom nkag mus rau cov ntaub ntawv tseem ceeb.
Tus yuam sij U2F tuaj yeem ntxiv rau ssh-tus neeg sawv cev ntawm "ssh-ntxiv ~/.ssh/id_ecdsa_sk", tab sis ssh-tus neeg saib xyuas yuav tsum tau tsim nrog kev txhawb nqa rau "ecdsa-sk" cov yuam sij, libsk-libfido2 txheej yuav tsum muaj tam sim no thiab tus neeg sawv cev yuav tsum tau khiav ntawm qhov system, uas lub token txuas nrog.
Ib hom tseem ceeb tshiab "ecdsa-sk" tau ntxiv txij li hom OpenSSH ecdsa cov yuam sij txawv ntawm U2F hom ntawv rau ECDSA cov kos npe digital nyob rau hauv muaj cov teb ntxiv.
Tau qhov twg los: opennet.ru