Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

U2F/FIDO security key support #27

Open
tulir opened this issue Dec 23, 2019 · 4 comments
Open

U2F/FIDO security key support #27

tulir opened this issue Dec 23, 2019 · 4 comments
Labels
enhancement New feature or request Hardware Security SDK

Comments

@tulir
Copy link

tulir commented Dec 23, 2019

OpenSSH recently got support for using U2F/FIDO security keys for authentication. It would be nice to be able to use such keys when SSHing from Android devices.

https://marc.info/?l=openssh-unix-dev&m=157259802529972&w=2
https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f
@dschuermann dschuermann added the enhancement New feature or request label Apr 16, 2020
@lukeross
Copy link

lukeross commented Jun 20, 2020
edited
Loading

I'm also interested in U2F support for TermBot, and have forked and added some basic support. It's currently reeeally rough, but is good enough for me to be able to log in to an OpenSSH 8.2 server using a blue Yubico NFC Security Key. I plan to try and improve it a bit, time permitting.

Main limitations right now: you must import an existing "[email protected]" key (cannot generate yet), and it must have a password on the imported key. I also think something's not quite right in my use of the hwsecurity UI flow as the on-screen keyboard only kicks in when I press the back button after logging in. To build it requires custom versions of sshlib and hwsecurity 😞 - it's on my github if interested.

(Minor detail - I had originally wanted to use the Google Play Services FIDO support, but as far as I can tell it's just not flexible enough to support SSH, being closely tied to WebAuthn)

@NullSense
Copy link

@lukeross do you still have those changes? A PR could be possible :). I noticed your profile is inactive, but worth a shot.

@lukeross
Copy link

lukeross commented Nov 24, 2020
edited
Loading

Yes, the changes are still up.

Firstly you'll need to build a hwsecurity lib with some tweaks to permit access to the raw data received from the key:

hwsecurity-sdk/hwsecurity@master...lukeross:master

Then, using the just-built version of hwsecurity, you can build the termbot app with the U2F tweaks:

termbot...lukeross:termbot

[Added later] I think it also needs the sshlib changes to handle key serialisation/deserialisation:

connectbot/sshlib@2.2.14...lukeross:2.2.14-fido

I would suggest that it would want a bit of polishing-up before merging to main branch. I archived the project as I no longer have need of the U2F use-case myself, so don't plan to develop it any further myself.

@dschuermann
Copy link
Member

dschuermann commented Mar 28, 2021
edited
Loading

This would be the way to tackle this:

  • get the sshlib changes into upstream connectbot/sshlib
  • in hwsecurity:
    • build SecurityKeyAuthenticator for Fido similar to OpenPGPSecurityKeyAuthenticator and PivSecurityKeyAuthenticator
    • maybe build FidoPublicKey class that is returned for differentiation

@e-zk e-zk mentioned this issue Feb 7, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request Hardware Security SDK
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dschuermann @lukeross @tulir @NullSense