OpenSSH saitin aikace-aikacen da zasu bada damar sadarwa mai rufin asiri a kan hanyar sadarwa, ta amfani da yarjejeniyar SSH ya kara tallafi na gwaji don tabbatar da abubuwa biyu zuwa tushen lambarta, ta amfani da na'urori masu goyan bayan yarjejeniyar U2F ta ƙawancen FIDO.
Ga wadanda basu sani ba U2F, ya kamata su san hakan, wannan sigar buɗewa ce don ƙirƙirar alamun tsaro mai ƙarancin farashi. Waɗannan sune hanya mafi arha mafi sauƙi don masu amfani don samun maɓallan maɓallin goyan bayan kayan aiki kuma akwai kyawawan kewayon masana'antun wa ke sayar da su, gami das Yubico, Feitian, Thetis, da Kensington.
Maɓallan da ke tallafawa kayan aiki suna ba da fa'idar kasancewa mafi wahalar sata da yawa: mai kai hari gaba ɗaya dole ne ya sata alama ta zahiri (ko kuma aƙalla samun dama gare shi) don satar mabuɗin.
Tunda akwai hanyoyi da yawa don magana da na'urorin U2F, gami da USB, Bluetooth, da NFC, ba mu so mu ɗora OpenSSH da tarin abubuwan dogaro.Maimakon haka, mun ba da aikin sadarwa da alamun zuwa karamin laburaren matsakaiciyar kayan kwalliya wadanda suka yi kama da goyon bayan PKCS # 11 na yanzu.
OpenSSH yanzu yana da gwajin U2F / FIDO na gwaji, tare da U2F an ƙara shi azaman sabon nau'in maɓalli sk-ecdsa-sha2-nistp256@openssh.com ko «ecdsa-sk"A takaice (" sk "na nufin" maɓallin tsaro ").
An matsar da hanyoyin yin ma'amala tare da alamun zuwa cikin ɗakin karatu na matsakaici, wanda aka ɗora ta kwatankwaci tare da laburare don tallafin PKCS # 11 kuma haɗi ne a laburaren libfido2, wanda ke ba da hanyar sadarwa tare da alamun ta hanyar USB (FIDO U2F / CTAP 1 da FIDO 2.0 / CTAP 2).
Laburare matsakaici libsk-libfido2 shirya daga masu haɓaka OpenSSH an haɗa shi a cikin kwayar libfido2, kazalika direban HID don OpenBSD.
Don kunna U2F, za a iya amfani da sabon sashi na asalin lambar ajiya ta OpenSSH da kuma HEAD reshe na libfido2 laburare, wanda ya riga ya haɗa da matakan da suka dace don OpenSSH. Libfido2 yana goyan bayan aiki akan OpenBSD, Linux, macOS, da Windows.
Mun rubuta matsakaiciyar matsakaiciyar matsakaiciya don Yubico's libfido2 wacce ke iya magana da kowane misali USB HID U2F ko alama ta FIDO2. Tsakar gida. An shirya tushen a cikin bishiyar libfido2, don haka ginin wancan da OpenSSH HEAD ya isa don farawa
Dole ne a kwafe maɓallin jama'a (id_ecdsa_sk.pub) zuwa sabar a cikin fayil ɗin izini_keys. A bangaren uwar garke, sa hannu ne kawai na dijital ake tabbatarwa kuma ana yin mu'amala da alamu a bangaren abokin ciniki (libsk-libfido2 baya bukatar sanyawa a kan sabar, amma dole ne uwar garken ya goyi bayan maballin "ecdsa-sk»).
Maɓallin keɓaɓɓen da aka kirkira (ecdsa_sk_id) shine ainihin maɓallin kewayawa wanda ke samar da maɓalli na ainihi kawai a hade tare da jerin sirrin da aka adana a gefen alama ta U2F.
Idan mabudi ecdsa_sk_id ya fada hannun maharin, don tabbatarwa, zai kuma buƙaci samun damar alama ta kayan aikin, ba tare da wannan maɓallin keɓaɓɓen da aka adana a cikin fayil ɗin id_ecdsa_sk ba shi da amfani ba.
Har ila yau, ta tsohuwa, lokacin da ake aiwatar da maɓallin kewayawa (duka lokacin tsarawa da tabbatarwa), ana buƙatar tabbatarwar kasancewar mai amfani a zahiriMisali, an ba da shawarar a taɓa firikwensin a kan alamar, wanda ke ba shi da wuya a yi harin kai tsaye a kan tsarin tare da alamar da aka haɗa.
A matakin farko na ssh-keygen, ana iya saita wasu kalmomin shiga don samun damar fayil ɗin tare da maɓallin.
Ana iya ƙara maɓallin U2F a ciki ssh-wakili via "ssh-ƙara ~ / .ssh / id_ecdsa_sk", amma ssh-wakili dole ne a tattara shi tare da maɓallin tallafi ecdsa-sk, Layer libsk-libfido2 dole ne ya kasance kuma wakili dole ne ya kasance yana aiki akan tsarin da aka makala alamar.
An ƙara sabon nau'in mabudi ecdsa-sk tun da key tsari ecdsa OpenSSH ya bambanta da tsarin U2F don sa hannu na dijital Farashin ECDSA ta gaban ƙarin filayen.
Idan kanaso ka kara sani game dashi zaka iya tuntuba mahada mai zuwa.