Ku-OpenSSH codebase ukwesekwa kokuhlola kokuqinisekisa kwezinto ezimbili kusetshenziswa amadivayisi asekela iphrothokholi , ithuthukiswe umbimbi . I-U2F ivumela ukudalwa kwamathokheni ehadiwe angabizi kakhulu ukuze kuqinisekiswe ubukhona boqobo bomsebenzisi, ukuxhumana nabo nge-USB, i-Bluetooth noma i-NFC. Amadivayisi anjalo akhuthazwa njengendlela yokuqinisekisa izici ezimbili kumawebhusayithi, asevele esekelwa iziphequluli ezinkulu futhi akhiqizwa abakhiqizi abahlukahlukene, kuhlanganise noYubico, Feitian, Thetis noKensington.
Ukuze uxhumane namadivayisi aqinisekisa ubukhona bomsebenzisi, uhlobo olusha lokhiye lwengezwe ku-OpenSSH "[i-imeyili ivikelwe]” (“ecdsa-sk”), esebenzisa i-ECDSA (Elliptic Curve Digital Signature Algorithm) i-algorithm yesiginesha yedijithali ene-NIST P-256 elliptic curve kanye ne-SHA-256 hash. Izinqubo zokusebenzisana namathokheni zibekwe kumtapo wolwazi ophakathi nendawo, olayishwa ngendlela efanayo kulabhulali ukuze uthole ukwesekwa kwe-PKCS#11 futhi eyisisonga phezu kwelabhulali. , ehlinzeka ngamathuluzi okuxhumana namathokheni nge-USB (amaphrothokholi e-FIDO U2F/CTAP 1 kanye ne-FIDO 2.0/CTAP 2 ayasekelwa). Umtapo wezincwadi ophakathi we-libsk-libfido2 olungiselelwe abathuthukisi be-OpenSSH ku-core libfido2, kanye ye-OpenBSD.
Ukuze unike amandla i-U2F, ungasebenzisa ucezu olusha lwe-codebase olusuka kuso I-OpenSSH kanye negatsha le-HEAD lomtapo wolwazi , osekuvele kufaka phakathi isendlalelo esidingekayo ku-OpenSSH.
I-Libfido2 isekela i-OpenBSD, i-Linux, i-macOS ne-Windows.
Ukuze uqinisekise futhi ukhiqize ukhiye, udinga ukusetha okuguquguqukayo kwemvelo ye-SSH_SK_PROVIDER, okubonisa kuyo indlela eya ku-libsk-libfido2.so (thekelisa SSH_SK_PROVIDER=/path/to/libsk-libfido2.so), noma uchaze ilabhulali usebenzisa i-SecurityKeyProvider. setting, bese usebenzisa “ssh- keygen -t ecdsa-sk” noma, uma okhiye sebevele bedaliwe futhi sebelungisiwe, xhuma kuseva usebenzisa u-"ssh". Uma usebenzisa i-ssh-keygen, ipheya yokhiye okhiqiziwe izolondolozwa kokuthi “~/.ssh/id_ecdsa_sk” futhi ingasetshenziswa ngokufanayo kwabanye okhiye.
Ukhiye osesidlangalaleni (id_ecdsa_sk.pub) kufanele ukopishelwe kuseva kufayela lezikhiye_ezigunyaziwe. Ohlangothini lweseva, isiginesha yedijithali kuphela eqinisekisiwe, futhi ukusebenzisana namathokheni kwenziwa ohlangothini lweklayenti (awudingi ukufaka i-libsk-libfido2 kuseva, kodwa iseva kufanele isekele uhlobo lokhiye lwe-“ecdsa-sk”) . Ukhiye oyimfihlo okhiqiziwe (id_ecdsa_sk) uyisibambo sokhiye, wenza ukhiye wangempela kuphela ngokuhambisana nokulandelana okuyimfihlo okugcinwe ohlangothini lwethokheni ye-U2F.
Uma ukhiye we-id_ecdsa_sk uwela ezandleni zomhlaseli, ukuze adlulise ubuqiniso uzodinga futhi ukuthola ukufinyelela kuthokheni yehadiwe, ngaphandle kwalokho ukhiye oyimfihlo ogcinwe kufayela le-id_ecdsa_sk awunamsebenzi. Ngaphezu kwalokho, ngokuzenzakalelayo, lapho wenza noma yikuphi ukusebenza ngezihluthulelo (kokubili ngesikhathi sokukhiqiza nangesikhathi sokufakazela ubuqiniso), ukuqinisekiswa kwendawo yobukhona bomzimba bomsebenzisi kuyadingeka, isibonelo, kuhlongozwa ukuthinta inzwa kuthokheni, okwenza kube nzima enze ukuhlasela okukude kumasistimu anethokheni exhunyiwe. Njengomunye umugqa wokuzivikela, iphasiwedi ingabuye icaciswe phakathi nesigaba sokuqalisa se-ssh-keygen ukuze ufinyelele ifayela elingukhiye.
Ukhiye we-U2F ungangezwa kumenzeli we-ssh nge-"ssh-add ~/.ssh/id_ecdsa_sk", kodwa i-ssh-ejenti kufanele yakhiwe ngokusekelwa kokhiye be-"ecdsa-sk", isendlalelo se-libsk-libfido2 kufanele sibe khona futhi umenzeli kumele asebenze ohlelweni , lapho ithokheni ixhunywe khona.
Uhlobo olusha lokhiye lwe-“ecdsa-sk” lwengeziwe njengoba ifomethi yokhiye be-OpenSSH ecdsa ihluka kufomethi ye-U2F yamasiginesha edijithali ye-ECDSA lapho kukhona izinkambu ezengeziwe.
Source: opennet.ru