I-OpenSSH iseti yezicelo ezivumela unxibelelwano olofihliweyo kwinethiwekhi, usebenzisa umthetho olandelwayo weSSH yongeze inkxaso yovavanyo lwezinto ezimbini kwisiseko sayo sekhowudi, kusetyenziswa izixhobo ezixhasa umthetho olandelwayo we-U2F ophuhliswe ngumanyano lweFIDO.
Kulabo abangazi U2F, kufuneka bayazi loo nto, lo ngumgangatho ovulekileyo wokwenza iithokheni zokhuseleko lwezixhobo zexabiso eliphantsi. Ezi ngokulula zezona ndlela zexabiso eliphantsi kubasebenzisi zokufumana isitshixo esixhaswe ngezixhobo zekhompyuter kunye kukho uluhlu oluhle lwabenzi abazithengisayo, kubandakanyas Yubico, Feitian, Thetis, kunye neKensington.
Izitshixo ezixhaswa zii-Hardware zibonelela ngeenzuzo zokuba nzima ngakumbi ukuba: umhlaseli ngokubanzi kufuneka ebe ithokheni ebonakalayo (okanye ubuncinci ukufikelela kuyo) ukuze ebe isitshixo.
Kuba zininzi iindlela zokuthetha kwizixhobo ze-U2F, kubandakanya i-USB, iBluetooth, kunye ne-NFC, besingafuni ukulayisha i-OpenSSH ngetoni yokuxhomekeka. ilayibrari encinci ye-middleware elayisha ngendlela efanayo nenkxaso esele ikhona ye-PKCS # 11.
I-OpenSSH ngoku ine-U2F yokulinga / inkxaso yeFIDO, kunye ne-U2F yongezwa njengohlobo olutsha lwesitshixo sk-ecdsa-sha2-nistp256@openssh.com okanye «ecdsa-sk"Ngamafutshane (i" sk "imele" isitshixo sokhuseleko ").
Inkqubo yokunxibelelana neethokheni ihanjiswe yethala leencwadi eliphakathi, Elayishwe ngokufana nelayibrari yenkxaso ye-PKCS # 11 kwaye iyikhonkco kwilayibrari ye-libfido2, ebonelela ngeendlela zonxibelelwano kunye neethokheni nge-USB (FIDO U2F / CTAP 1 kunye neFIDO 2.0 / CTAP 2).
Ithala leencwadi esiphakathi libsk-libfido2 ilungiselelwe ngabaphuhlisi be-OpenSSH ifakiwe kwi-libfido2 kernel, kunye nomqhubi we-HID we-OpenBSD.
Ukwenza i-U2F isebenze, icandelo elitsha lesiseko sekhowudi kwindawo yokugcina i-OpenSSH inokusetyenziswa kunye nesebe le-HEAD lethala leencwadi le-libfido2, esele ibandakanya umaleko oyimfuneko we-OpenSSH. ILibfido2 ixhasa ukusebenza kwi-OpenBSD, iLinux, iMacOS kunye neeWindows.
Sibhale i-middleware esisiseko ye-Yubico's libfido2 ekwaziyo ukuthetha nayo nayiphi na i-USB HID U2F okanye ithokheni ye-FIDO2 esemgangathweni. Izinto eziphakathi. Umthombo ubanjelwe kumthi we-libfido2, ke ukwakha loo nto kunye ne-OpenSSH HEAD kwanele ukuqala
Isitshixo esidlangalaleni (id_ecdsa_sk.pub) kufuneka sikotshelwe kwiseva kwifayile egunyazisiweyo_eekhi. Kwicala leseva, kukutyikitywa kwedijithali kuphela kwaye ukusebenzisana neethokheni kwenziwa kwicala lomthengi (libsk-libfido2 ayidingi ukufakwa kwiserver, kodwa iseva kufuneka ixhase uhlobo oluphambili "ecdsa-sk»).
Isitshixo sangasese esivelisiweyo (ecdsa_sk_id) Isichazi esiphambili esenza isitshixo sokwenyani kuphela ngokudityaniswa kunye nokulandelelana okuyimfihlo okugcinwe kwicala lomqondiso we-U2F.
Ukuba isitshixo ecdsa_sk_id iwela ezandleni zomhlaseli, ukungqinisisa, kuya kufuneka afikelele kwithokheni yehardware, ngaphandle kwesitshixo sabucala esigcinwe kwifayile ye-id_ecdsa_sk engenamsebenzi.
Kwakhona, ngokungagqibekanga, xa kusenziwa imisebenzi ephambili (kokubini ngexesha lokuzalwa kunye nokuqinisekiswa), Ukuqinisekiswa kwendawo kobukho bomsebenzisi buyafunekaUmzekelo, kucetyiswa ukuba ubambe isenzi esikwiphawu, esenza kube nzima ukwenza uhlaselo olukude kwiinkqubo ezinethokheni exhunyiwe.
Kwinqanaba lokuqala le- i-ssh-keygen, elinye iphasiwedi linokuseta ukufikelela kwifayile ngesitshixo.
Iqhosha le-U2F linokongezwa kwi i-ssh-arhente ngokusebenzisa "ssh-yongeza ~ / .ssh / id_ecdsa_sk", kodwa i-ssh-arhente kufuneka idityaniswe nenkxaso ephambili ecdsa-skUmaleko we-libsk-libfido2 kufuneka ubekhona kwaye iarhente kufuneka isebenze kwinkqubo eqhotyoshelwe kuyo.
Uhlobo olutsha lwesitshixo longeziwe ecdsa-sk ukusukela kwifomathi ephambili ecdsa I-OpenSSH yahlukile kwifomathi ye-U2F yokutyikitya kwidijithali IECDSA ngobukho bamacandelo ongezelelweyo.
Ukuba ufuna ukwazi ngakumbi ngayo ungabonisana eli khonkco lilandelayo.