Ku socota koodka OpenSSH taageerada tijaabada ah ee xaqiijinta laba-geesoodka ah iyadoo la adeegsanayo aaladaha taageera borotokoolka , oo ay soo saareen isbahaysigu . U2F waxay u ogolaataa abuurista calaamado qalabeed oo qiimo jaban si loo xaqiijiyo joogitaanka jireed ee isticmaalaha, la falgalka iyaga oo isticmaalaya USB, Bluetooth ama NFC. Aaladaha noocan oo kale ah waxaa loo dallacsiiyaa habka xaqiijinta laba-geesoodka ah ee shabakadaha, waxaa horeyba u taageeray daalacashada waaweyn waxaana soo saaray warshado kala duwan, oo ay ku jiraan Yubico, Feitian, Thetis iyo Kensington.
Si loola falgalo aaladaha xaqiijinaya joogitaanka isticmaalaha, nooc cusub oo furayaal ah ayaa lagu daray OpenSSH"[emailka waa la ilaaliyay]"("ecdsa-sk"), oo adeegsata ECDSA (Elliptic Curve Digital Signature Algorithm) saxeex dhijitaalka ah oo leh NIST P-256 qalooca elliptical iyo SHA-256 xashiish. Nidaamyada la falgalka calaamadaha waxaa lagu dhejiyaa maktabad dhexdhexaad ah, taas oo lagu shubay si la mid ah maktabadda si loogu taageero PKCS#11 oo ah duub dusha sare ee maktabadda. , kaas oo siiya agabka lagula xidhiidho calaamadaha USB (FIDO U2F/CTAP 1 iyo FIDO 2.0/CTAP 2 borotokool waa la taageeray). Maktabada dhexe libsk-libfido2 oo ay diyaariyeen soosaarayaasha OpenSSH galay xudunta u ah libfido2, iyo sidoo kale loogu talagalay OpenBSD.
Si aad awood ugu yeelatid U2F, waxaad isticmaali kartaa jeex cusub oo codebase ah OpenSSH iyo laanta HEAD ee maktabadda , kaas oo horeba ugu jiray lakabka lagama maarmaanka u ah OpenSSH.
Libfido2 waxay taageertaa OpenBSD, Linux, macOS iyo Windows.
Si loo xaqiijiyo oo loo abuuro fure, waxaad u baahan tahay inaad dejiso doorsoomiyaha deegaanka SSH_SK_PROVIDER, taasoo ku tusinaysa dariiqa loo maro libsk-libfido2.so (dhoofinta SSH_SK_PROVIDER=/path/to/libsk-libfido2.so), ama ku qeex maktabadda adoo adeegsanaya SecurityKeyProvider dejinta, ka dibna orod "ssh-keygen -t ecdsa-sk" ama, haddii furayaasha mar hore la sameeyay oo la habeeyey, ku xidh serverka adigoo isticmaalaya "ssh". Markaad socodsiiso ssh-keygen, lamaanaha muhiimka ah ee la sameeyay ayaa lagu keydin doonaa "~/.ssh/id_ecdsa_sk" waxaana loo isticmaali karaa si la mid ah furayaasha kale.
Furaha dadweynaha (id_ecdsa_sk.pub) waa in lagu koobiyeeyaa serferka ku jira faylka la oggolaaday_keys. Dhinaca server-ka, saxeexa dhijitaalka ah oo keliya ayaa la xaqiijiyay, iyo isdhexgalka calaamadaha ayaa lagu sameeyaa dhinaca macmiilka (uma baahnid inaad ku rakibto libsk-libfido2 server-ka, laakiin adeeguhu waa inuu taageeraa nooca muhiimka ah "ecdsa-sk") . Furaha gaarka ah ee la soo saaray (id_ecdsa_sk) asal ahaan waa gacan furaha, samaynta fure dhab ah oo keliya marka lagu daro taxanaha sirta ah ee lagu kaydiyay dhinaca calaamada U2F.
Haddii furaha id_ecdsa_sk uu ku dhaco gacanta weerarka, si uu u dhaafo aqoonsiga waxa uu sidoo kale u baahan doonaa in uu galo calaamadda qalabka, taas oo la'aanteed furaha gaarka ah ee lagu kaydiyay faylka id_ecdsa_sk aanu faa'iido lahayn. Intaa waxaa dheer, sida caadiga ah, marka la fulinayo hawlgal kasta oo leh furayaasha (labadaba inta lagu jiro jiilka iyo inta lagu jiro aqoonsiga), xaqiijinta maxaliga ah ee joogitaanka jireed ee isticmaalaha ayaa loo baahan yahay, tusaale ahaan, waxaa la soo jeediyay in la taabto dareemayaasha calaamadda, taas oo adkeyneysa in lagu qaado weeraro fogaan ah nidaamyada leh calaamad ku xiran. Sida safka kale ee difaaca, erayga sirta ah ayaa sidoo kale lagu qeexi karaa inta lagu jiro marxaladda bilowga ee ssh-keygen si loo galo faylka muhiimka ah.
Furaha U2F waxaa lagu dari karaa wakiilka ssh-ka iyadoo loo marayo "ssh-add ~/.ssh/id_ecdsa_sk", laakiin wakiilka ssh waa in lagu dhisaa taageerada furayaasha "ecdsa-sk", lakabka libsk-libfido2 waa inuu jiraa oo wakiilka waa inuu ku shaqeeyaa nidaamka, kaas oo calaamaduhu ku xiran yihiin.
Nooc cusub oo fure ah "ecdsa-sk" ayaa lagu daray tan iyo qaabka furayaasha OpenSSH ecdsa ka duwan yahay qaabka U2F ee saxeexyada dhijitaalka ah ee ECDSA iyadoo ay jiraan goobo dheeraad ah.
Source: opennet.ru