I-OpenSSH isethi yezinhlelo zokusebenza ezivumela ukuxhumana okubethelwe ngenethiwekhi, usebenzisa umthetho olandelwayo we-SSH ungeze ukusekelwa kokuhlola kokuqinisekiswa kwezinto ezimbili kwikhodi yayo, kusetshenziswa amadivayisi asekela umthetho olandelwayo we-U2F owenziwe umbimbi lwe-FIDO.
Kulabo abangazi U2F, kufanele bakwazi lokho, leli yindinganiso evulekile yokwenza amathokheni wezokuphepha wehadi ephansi. Lezi kalula indlela eshibhe kunazo zonke yokuthi abasebenzisi bathole ukhiye okhiye osebenza ngehardware futhi kukhona uhla oluhle lwabakhiqizi abazithengisayo, kufaka phakathis Yubico, Feitian, Thetis, neKensington.
Izinkinobho ezisekelwa nge-Hardware zinikeza ithuba lokuthi kube nzima kakhulu ukweba: umhlaseli ngokuvamile kufanele entshontshe ithokheni engokomzimba (noma okungenani aphikelele kuyo) ukuze ebe ukhiye.
Njengoba kunezindlela eziningi zokukhuluma namadivayisi we-U2F, kufaka phakathi i-USB, i-Bluetooth, ne-NFC, besingafuni ukulayisha i-OpenSSH ngethoni lokuncika. Esikhundleni salokho, sinikeze umsebenzi wokuxhumana namathokheni kokuncane umtapo wolwazi we-middleware olayisha ngendlela elula.ofana nokusekelwa okukhona kwe-PKCS # 11.
I-OpenSSH manje inokusekelwa kokuhlola kwe-U2F / FIDO, nge-U2F ingezwa njengohlobo olusha lokhiye sk-ecdsa-sha2-nistp256@openssh.com noma «ecdsa-sk"Ngamafuphi (i" sk "imele" ukhiye wokuphepha ").
Izinqubo zokusebenzisana namathokheni zihanjiswe emtatsheni wezincwadi ophakathi nendawo, Elayishwe ngokufana nomtapo wezincwadi wokusekelwa kwe-PKCS # 11 futhi iyisixhumanisi kumtapo wezincwadi we-libfido2, esihlinzeka izindlela zokuxhumana namathokheni nge-USB (FIDO U2F / CTAP 1 neFIDO 2.0 / CTAP 2).
Umtapo Wezincwadi phakathi libsk-libfido2 ilungiselelwe ngabathuthukisi be-OpenSSH ifakiwe ku-libfido2 kernel, kanye nomshayeli we-HID we-OpenBSD.
Ukuze unike amandla i-U2F, kungasetshenziswa ingxenye entsha yesisekelo sekhodi kusuka ekhoselweni le-OpenSSH kanye negatsha le-HEAD lomtapo wezincwadi we-libfido2, osuvele ufake ungqimba oludingekayo lwe-OpenSSH. ILibfido2 isekela ukusebenza ku-OpenBSD, Linux, macOS, nakuWindows.
Sibhale i-middleware eyisisekelo ye-Yubico's libfido2 ekwazi ukukhuluma nanoma iyiphi ithokheni ejwayelekile ye-USB HID U2F noma ye-FIDO2. I-middleware. Umthombo ubanjelwe esihlahleni se-libfido2, ngakho-ke ukwakha lokho ne-OpenSSH HEAD kwanele ukuqala
Ukhiye wasesidlangalaleni (id_ecdsa_sk.pub) kufanele ukopishelwe kuseva kufayela eligunyaziwe_khiye. Ohlangothini lweseva, kuqinisekiswa kuphela isiginesha yedijithali futhi ukusebenzisana namathokheni kwenziwa ohlangothini lwekhasimende (i-libsk-libfido2 ayidingi ukufakwa kuseva, kepha iseva kufanele isekele uhlobo lokhiye "ecdsa-sk»).
Ukhiye oyimfihlo okhiqiziwe (nomzamo_k) empeleni kuyincazelo eyisihluthulelo eyakha ukhiye wangempela kuphela ngokuhlanganiswa nokulandelana okuyimfihlo okugcinwe ohlangothini lwethokheni le-U2F.
Uma ukhiye nomzamo_k iwela ezandleni zomhlaseli, ukuqinisekisa, uzodinga futhi ukufinyelela ithokheni yehadiwe, ngaphandle kokuthi ukhiye oyimfihlo ogcinwe kufayela le-id_ecdsa_sk awusizi ngalutho.
Futhi, ngokuzenzakalela, lapho kwenziwa imisebenzi ebalulekile (kokubili ngesikhathi sokukhiqiza nokufakazela ubuqiniso), Ukuqinisekiswa kwasendaweni kobukhona bomsebenzisi ngokomzimba kuyadingekaIsibonelo, kuphakanyiswa ukuthi uthinte inzwa kuphawu, okwenza kube nzima ukwenza ukuhlaselwa okukude kumasistimu anethokheni elixhunyiwe.
Esigabeni sokuqala se- ssh-keygen, elinye iphasiwedi nalo lingasethwa ukufinyelela ifayela ngokhiye.
Ukhiye we-U2F ungangezwa ku umthungi we-ssh ngokusebenzisa "ssh-engeza ~ / .ssh / id_ecdsa_sk", kodwa umthungi we-ssh kumele ihlanganiswe ngokusekelwa okuyisihluthulelo ecdsa-sk, ungqimba lwe-libsk-libfido2 kufanele lube khona futhi umenzeli kufanele asebenze ohlelweni olunamathiselwe kulo.
Uhlobo olusha lokhiye lungeziwe ecdsa-sk kusukela ngefomethi yokhiye ecdsa I-OpenSSH yehlukile kufomethi ye-U2F yamasiginesha edijithali ECDSA ngokuba khona kwemikhakha eyengeziwe.
Uma ufuna ukwazi kabanzi ngayo ungabonisana isixhumanisi esilandelayo.