有没有一种方法可以在SSH中使用FIDO2/webauthn?

huangapple go评论59阅读模式
英文:

Is there a method to use FIDO2/webauthn with ssh

问题

我们使用ssh连接到许多站点,并希望使用FIDO2/webauthn进行身份验证。

这是否可能?
我们需要哪些工具?

我们在客户端和服务器上使用ubuntu。

英文:

As the title says.

We use ssh to connect to many sites and would like to move to use FIDO2/webauthn for authentication.

Is this possible?
What tools do we need?

We are using ubuntu as the client and server.

答案1

得分: 2

你可以在通过SSH连接服务器时,结合FIDO2兼容的安全密钥与ecdsa-sk密钥,实现类似FIDO2的多因素身份验证。诀窍是使用ecdsa-sk("sk"代表"security key")生成新的密钥对,并使用需要输入安全密钥PIN的标志:

$ ssh-keygen -t ecdsa-sk -C <电子邮件地址> -O verify-required

在提示时输入安全密钥的PIN,然后跳过提示以密码保护密钥对(安全密钥及其PIN将保护其使用)。最后,指定要保存密钥对的绝对文件路径。

你将得到一个私钥和公钥,与你期望的一样。将**.pub文件添加到https://github.com/settings/keys作为authentication密钥,然后更新~/.ssh/config**以告诉它使用相应的私钥:

Host github.com
  IgnoreUnknown UseKeychain
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/name-you-gave-keypair-here

为了测试一切是否正常工作,你可以尝试连接到GitHub:

$ ssh -T git@github.com

你应该会看到类似以下的消息:

Hi UsernameHere! You've successfully authenticated, but GitHub does not provide shell access.

就是这样 - 为你的SSH连接实现了基于安全密钥的多因素身份验证。

最后一件事,你需要在服务器和客户端上至少使用OpenSSH 8.2,因为这是支持ecdsa-sk密钥对的最早版本。

英文:

You can achieve FIDO2-like multi-factor authentication when ssh'ing into a server if you combine a FIDO2-compatible security key with ecdsa-sk keys. The trick is to generate a new keypair with the ecdsa-sk (the "sk" is for "security key") and the flag that requires you to enter the security key's PIN as well:

$&gt; ssh-keygen -t ecdsa-sk -C &lt;email address&gt; -O verify-required

Enter your security key's PIN when prompted, then skip the prompt to password-protect the keypair (the security key and its PIN will protect its use instead). Finally, specify the absolute file path to save the keypair to.

You'll end up with a private key and public key as you'd expect. Add the .pub file to https://github.com/settings/keys as an authentication key, then update ~/.ssh/config to tell it to use the corresponding private key:

Host github.com
  IgnoreUnknown UseKeychain
  AddKeysToAgent yes
  UseKeychain yes
  IdentityFile ~/.ssh/name-you-gave-keypair-here

To test that everything is working fine, you can attempt to ssh into GitHub:

$&gt; ssh -T git@github.com

You should see something like this:

> Hi UsernameHere! You've successfully authenticated, but GitHub does not provide shell access.

And there you have it - security key-backed multi-factor authentication for your SSH connections.

One last thing, you'll need to be using at least OpenSSH 8.2 on both server and client side as it's the earliest version that support ecdsa-sk keypairs.

huangapple
  • 本文由 发表于 2023年6月15日 12:08:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/76479045.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定