Ku OpenSSH codebase tsigiro yekuyedza yehuviri-factor authentication uchishandisa zvishandiso zvinotsigira protocol , yakagadzirwa nemubatanidzwa . U2F inobvumira kugadzirwa kweakaderera-mutengo Hardware tokeni kuratidza kuvepo kwemushandisi kwemuviri, kutaurirana navo kuburikidza ne USB, Bluetooth kana NFC. Midziyo yakadaro inosimudzirwa senzira yekusimbisa zvinhu zviviri pawebhusaiti, yakatotsigirwa nemabhurawuza makuru uye inogadzirwa nevagadziri vakasiyana-siyana, kusanganisira Yubico, Feitian, Thetis neKensington.
Kudyidzana nemidziyo inosimbisa kuvepo kwemushandisi, mhando nyowani yemakiyi yakawedzerwa kuOpenSSH "[email inodzivirirwa]β (βecdsa-skβ), inoshandisa ECDSA (Elliptic Curve Digital Signature Algorithm) siginecha yedhijitari ine NIST P-256 elliptic curve uye SHA-256 hashi. Matanho ekudyidzana nematokeni anoiswa muraibhurari yepakati, iyo inotakurwa nenzira yakafanana kuraibhurari yePKCS#11 rutsigiro uye iri kuputira pamusoro peraibhurari. , iyo inopa maturusi ekutaurirana nematokeni pamusoro pe USB (FIDO U2F/CTAP 1 uye FIDO 2.0/CTAP 2 mapuroteni anotsigirwa). Raibhurari yepakati libsk-libfido2 yakagadzirirwa nevagadziri veOpenSSH mukati mepakati libfido2, zvakare yeOpenBSD.
Kugonesa U2F, unogona kushandisa chidimbu chitsva checodebase kubva OpenSSH uye HEAD bazi reraibhurari , iyo inotosanganisira iyo layer inodiwa yeOpenSSH.
Libfido2 inotsigira OpenBSD, Linux, macOS uye Windows.
Kuti utende uye ugadzire kiyi, unofanirwa kuseta iyo SSH_SK_PROVIDER nharaunda inoshanduka, ichiratidza mairi nzira yeku libsk-libfido2.so (export SSH_SK_PROVIDER=/path/to/libsk-libfido2.so), kana kutsanangura raibhurari kuburikidza neSecurityKeyProvider. kuseta, wobva wamhanya "ssh- keygen -t ecdsa-sk" kana, kana makiyi atogadzirwa uye akagadziriswa, batanidza kune server uchishandisa "ssh". Paunenge uchimhanya ssh-keygen, iyo inogadzirwa kiyi peya ichachengetwa mu "~/.ssh/id_ecdsa_sk" uye inogona kushandiswa zvakafanana kune mamwe makiyi.
Kiyi yeruzhinji (id_ecdsa_sk.pub) inofanira kukopwa kuseva mufaira remvumo. Padivi reseva, siginecha yedhijitari chete ndiyo inosimbiswa, uye kudyidzana nematokeni kunoitwa parutivi rwemutengi (haufanire kuisa libsk-libfido2 pane sevha, asi sevha inofanirwa kutsigira "ecdsa-sk" kiyi mhando) . Iyo yakagadzirwa yakavanzika kiyi (id_ecdsa_sk) inonyanya kubata kiyi, ichigadzira kiyi chaiyo musanganiswa neakavanzika akatevedzana akachengetwa padivi rechiratidzo cheU2F.
Kana iyo id_ecdsa_sk kiyi ikawira mumaoko eanorwisa, kuti apfuure huchokwadi achadawo kuwana mukana weiyo hardware tokeni, pasina iyo yakavanzika kiyi yakachengetwa muid_ecdsa_sk faira haina basa. Uye zvakare, nekusarudzika, kana uchiita chero mashandiro nemakiyi (zvese panguva yechizvarwa uye panguva yehuchokwadi), kusimbiswa kwenzvimbo kwekuvapo kwemushandisi kwemuviri kunodiwa, semuenzaniso, inokurudzirwa kubata sensor pane chiratidzo, izvo zvinoita kuti zviome kuita. ita kurwisa kure kune masisitimu ane chiratidzo chakabatana. Semumwe mutsara wekudzivirira, password inogona zvakare kutsanangurwa panguva yekutanga chikamu che ssh-keygen kuti uwane iyo kiyi faira.
Kiyi yeU2F inogona kuwedzerwa kune ssh-agent kuburikidza ne "ssh-add ~/.ssh/id_ecdsa_sk", asi ssh-agent inofanirwa kuvakwa nerutsigiro rwe "ecdsa-sk" makiyi, iyo libsk-libfido2 layer inofanira kunge iripo uye iyo mumiririri anofanira kunge achimhanya pane iyo system, iyo iyo tokeni yakabatana.
Rudzi rutsva rwekiyi "ecdsa-sk" yawedzerwa sezvo fomati yeOpenSSH ecdsa kiyi inosiyana neiyo U2F fomati yeECDSA siginecha yedhijitari pamberi pemamwe minda.
Source: opennet.ru