OpenSSH iyo seti yezvishandiso inobvumidza yakavharidzirwa kutaurirana pamusoro penetiweki, uchishandisa SSH protocol yakawedzera rutsigiro rweyedzo yezvinhu zviviri-chokwadi kune yayo kodhi base, uchishandisa zvishandiso zvinotsigira iyo U2F protocol yakagadzirwa neFIDO mubatanidzwa.
Kune avo vasingazive U2F, vanofanira kuziva izvozvo, uyu ndiwo muyero wakavhurika wekugadzira yakachipa-kudhura Hardware chengetedzo tokeni. Idzi ndidzo dziri nyore nzira isingadhuri yevashandisi kuwana hodhi-inotsigirwa kiyi vaviri uye pane yakanaka mhando yevagadziri vanozvitengesa, kusanganisiras Yubico, Feitian, Thetis, uye Kensington.
Makiyi-anotsigirwa nemakiyi anopa mukana wekuve wakanyanya kunetsa kuba: anorwisa kazhinji anofanira kuba chiratidzo chemuviri (kana kuramba achisvikapo) kuti abire kiyi.
Sezvo paine nzira dzinoverengeka dzekutaura kuU2F zvishandiso, zvinosanganisira USB, Bluetooth, uye NFC, isu hatina kuda kurodha OpenSSH netani yekutsamira.Pachinzvimbo ichocho, isu takapa basa rekutaurirana nemasaini kuraibhurari diki ye middleware inotakura zvakafanana neiyo iripo PKCS # 11 rutsigiro.
OpenSSH ikozvino ine kuyedza U2F / FIDO rutsigiro, iine U2F inowedzerwa senge nyowani kiyi mhando sk-ecdsa-sha2-nistp256@openssh.com kana «ecdsa-sk"Pfupi (iyo" sk "inomiririra" kiyi yekuchengetedza ").
Maitiro ekudyidzana nezviratidzo akaendeswa kune repakati raibhurari, iyo inotakurwa nekufananidza neraibhurari yePKCS # 11 rutsigiro uye iri chinongedzo pane libfido2 raibhurari, iyo inopa nzira dzekutaurirana nemasaini kuburikidza ne USB (FIDO U2F / CTAP 1 uye FIDO 2.0 / CTAP 2).
Raibhurari zvenguva libsk-libfido2 yakagadzirirwa nevashambadzi veOpenSSH inosanganisirwa mune libfido2 kernel, pamwe neiye HID mutyairi weOpenBSD.
Kugonesa U2F, chikamu chitsva cheiyo OpenSSH repository kodhi base inogona kushandiswa uye iyo HEAD bazi re libfido2 raibhurari, iyo yatove inosanganisira inodiwa dura reOpenSSH. Libfido2 inotsigira kushanda paOpenBSD, Linux, macOS, uye Windows.
Isu takanyora yepakatiwareware yeYubico's libfido2 iyo inokwanisa kutaura kune chero yakajairwa USB HID U2F kana FIDO2 chiratidzo. Pakati. Kwayakaitirwa kunogarwa mumuti libfido2, saka kuvaka icho uye OpenSSH HEAD zvakakwana kuti utange
Kiyi yeruzhinji (id_ecdsa_sk.pub) inofanirwa kuteedzerwa kuseva mune iyo faira mvumo_kiyi. Padivi revavha, siginicha yedhijitari chete ndiyo inosimbiswa uye kudyidzana nemasaini kunoitwa padivi remutengi (libsk-libfido2 haidi kuisirwa pane server, asi sevha inofanirwa kutsigira yakakosha mhando "ecdsa-sk»).
Iyo yakagadzirwa yakavanzika kiyi (ecdsa_sk_id) inonyanya kutsanangudza kiyi iyo inoumba chaiyo kiyi chete pamwe chete neyakavanzika kuteedzana kwakachengetwa padivi reU2F chiratidzo.
Kana kiyi ecdsa_sk_id inowira kune anorwisa, kuti ive yechokwadi, iye zvakare anofanirwa kuwana iyo teni yehardware, isina iyo yakavanzika kiyi yakachengetwa muiyo id_ecdsa_sk faira haina basa.
Uyewo, nekutadza, kana kiyi mashandiro achiitwa (zvese panguva yechizvarwa nekusimbisa), kusimbiswa kwenzvimbo kwekuvapo kwemushandisi kuri kudikanwaSemuenzaniso, zvinokurudzirwa kubata iyo sensor pane chiratidzo, izvo zvinoita kuti zviome kuita kurwisa kuri kure pane masisitimu ane chiratidzo chakabatana.
Pakutanga nhanho ye ssh-keygen, Rimwe password rinogona kusetwa kuwana iyo faira nekiyi.
Iyo kiyi yeU2F inogona kuwedzerwa ku ssh-mumiriri kuburikidza "ssh-wedzera ~ / .ssh / id_ecdsa_sk", asi ssh-mumiriri inofanirwa kunyorwa nerutsigiro rwakakosha ecdsa-sk, iyo libsk-libfido2 dura inofanirwa kunge iripo uye mumiriri anofanira kunge achimhanya pane iyo teni yakasungirirwa.
Rudzi rutsva rekiyi rwakawedzerwa ecdsa-sk kubvira yakakosha fomati ecdsa OpenSSH inosiyana kubva kuU2F fomati yemasaini edhijitari ECDSA nekuvapo kwemimwe minda.
Kana iwe uchida kuziva zvakawanda nezvazvo unogona kubvunza chinotevera chinongedzo.