Ku OpenSSH codebase thandizo loyesera la kutsimikizika kwazinthu ziwiri pogwiritsa ntchito zida zomwe zimathandizira protocol , yopangidwa ndi mgwirizano . U2F imalola kupanga ma tokeni otsika mtengo kuti atsimikizire kupezeka kwa wogwiritsa ntchito, kuyanjana nawo kudzera pa USB, Bluetooth kapena NFC. Zida zoterezi zimalimbikitsidwa ngati njira yotsimikizirika yazinthu ziwiri pa mawebusaiti, zimathandizidwa kale ndi asakatuli akuluakulu ndipo amapangidwa ndi opanga osiyanasiyana, kuphatikizapo Yubico, Feitian, Thetis ndi Kensington.
Kuti mulumikizane ndi zida zomwe zimatsimikizira kukhalapo kwa wogwiritsa ntchito, makiyi amtundu watsopano wawonjezedwa ku OpenSSH "[imelo ndiotetezedwa]β (βecdsa-skβ), yomwe imagwiritsa ntchito ECDSA (Elliptic Curve Digital Signature Algorithm) siginecha ya digito yokhala ndi NIST P-256 elliptic curve ndi SHA-256 hashi. Njira zolumikizirana ndi ma tokeni zimayikidwa mulaibulale yapakati, yomwe imayikidwa mofanana ndi laibulale yothandizira PKCS#11 ndipo ndi chokulunga pamwamba pa laibulale. , yomwe imapereka zida zoyankhulirana ndi ma tokeni pa USB (ma protocol a FIDO U2F/CTAP 1 ndi FIDO 2.0/CTAP 2 amathandizidwa). Laibulale yapakatikati libsk-libfido2 yokonzedwa ndi OpenSSH Madivelopa mu core libfido2, komanso kwa OpenBSD.
Kuti mutsegule U2F, mutha kugwiritsa ntchito kagawo katsopano ka codebase kuchokera OpenSSH ndi nthambi ya HEAD ya library , zomwe zikuphatikiza kale wosanjikiza wofunikira ku OpenSSH.
Libfido2 imathandizira OpenBSD, Linux, macOS ndi Windows.
Kuti mutsimikizire ndikupanga kiyi, muyenera kuyika SSH_SK_PROVIDER kusinthika kwa chilengedwe, kuwonetsa njira yopita ku libsk-libfido2.so (kutumiza kunja SSH_SK_PROVIDER=/path/to/libsk-libfido2.so), kapena kutanthauzira laibulale kudzera mu SecurityKeyProvider. kukhazikitsa, ndiyeno thamangitsani "ssh- keygen -t ecdsa-sk" kapena, ngati makiyi apangidwa kale ndikukonzedwa, gwirizanitsani ndi seva pogwiritsa ntchito "ssh". Mukathamanga ssh-keygen, makiyi opangidwa adzasungidwa mu "~/.ssh/id_ecdsa_sk" ndipo angagwiritsidwe ntchito mofanana ndi makiyi ena.
Kiyi yapagulu (id_ecdsa_sk.pub) iyenera kukopera ku seva mufayilo ya authorized_keys. Pa mbali ya seva, siginecha yokha ya digito imatsimikiziridwa, ndipo kuyanjana ndi zizindikiro kumachitidwa kumbali ya kasitomala (simufunika kukhazikitsa libsk-libfido2 pa seva, koma seva iyenera kuthandizira "ecdsa-sk" mtundu wachinsinsi) . Makiyi achinsinsi opangidwa (id_ecdsa_sk) ndiye chogwirizira, kupanga kiyi yeniyeni pokhapokha kuphatikiza ndi mndandanda wachinsinsi womwe umasungidwa kumbali ya chizindikiro cha U2F.
Ngati fungulo la id_ecdsa_sk ligwera m'manja mwa wowukira, kuti adutse chitsimikiziro adzafunikanso kuti apeze chizindikiro cha hardware, popanda makiyi achinsinsi omwe amasungidwa mu fayilo ya id_ecdsa_sk alibe ntchito. Kuphatikiza apo, mwachisawawa, pochita ntchito zilizonse ndi makiyi (panthawi ya m'badwo komanso nthawi yotsimikizika), kutsimikizika kwanuko kwa kukhalapo kwa wogwiritsa ntchito kumafunika, mwachitsanzo, akufunsidwa kukhudza sensa pa chizindikiro, zomwe zimapangitsa kuti zikhale zovuta kuchita kuukira kwakutali pamakina okhala ndi chizindikiro cholumikizidwa. Monga mzere wina wachitetezo, mawu achinsinsi amathanso kufotokozedwa panthawi yoyambira ya ssh-keygen kuti mupeze fayilo yayikulu.
Kiyi ya U2F ikhoza kuwonjezeredwa ku ssh-agent kudzera "ssh-add ~/.ssh/id_ecdsa_sk", koma ssh-agent iyenera kumangidwa mothandizidwa ndi makiyi a "ecdsa-sk", wosanjikiza wa libsk-libfido2 ayenera kukhalapo ndipo wothandizira ayenera kukhala akuyenda pa dongosolo , kumene chizindikirocho chikugwirizana.
Mtundu watsopano wa kiyi "ecdsa-sk" wawonjezedwa popeza mawonekedwe a makiyi a OpenSSH ecdsa amasiyana ndi mtundu wa U2F wa siginecha ya digito ya ECDSA pamaso pa magawo owonjezera.
Source: opennet.ru