Hi,
I just committed secure token support in -current. You need to cvs update, recompile the kernel and rebuild userland to get the new packages. Once you do that and you plug in your token: $ fido2-token -L /dev/uhid0: vendor=0x1050, product=0x0407 (Yubico YubiKey OTP+FIDO+CCID) /dev/uhid1: vendor=0x1ea8, product=0xfc25 (ExcelSecu FIDO2 Security Key) $ fido2-token -I /dev/uhid0 proto: 0x02 major: 0x05 minor: 0x02 build: 0x04 caps: 0x05 (wink, cbor, msg) version strings: U2F_V2, FIDO_2_0, FIDO_2_1_PRE extension strings: credProtect, hmac-secret aaguid: XXXXXX options: rk, up, noplat, noclientPin, credentialMgmtPreview maxmsgsiz: 1200 pin protocols: 1 pin retries: undefined $ fido2-token -I /dev/uhid1 proto: 0x02 major: 0x02 minor: 0x00 build: 0x01 caps: 0x05 (wink, cbor, msg) version strings: U2F_V2, FIDO_2_0 extension strings: hmac-secret aaguid: XXXXXX options: rk, up, noplat, noclientPin maxmsgsiz: 4096 pin protocols: 1 pin retries: undefined Now you can simply create a new configuration file to use the token for becoming root: As root run: $ pamu2fcfg Once you touch the token, it will spit out a line which you can add in /etc/u2f_mappings. Edit /etc/pam.d/su and uncomment the pam_u2f.so line. Next time you su, it will prompt you to hit the token to authenticate. For ssh: $ ssh-keygen -vvv -t ecdsa-sk Put the id_ecdsa_sk.pub entry in your authorized_keys Add the following line in /etc/ssh/sshd_config PubkeyAcceptedKeyTypes [email protected],[email protected] $ slogin quasar Confirm user presence for key ECDSA-SK SHA256:gQROjVE4cx1cyyWLZ7tYP2z3Kefc55GJ5bRQidJOkLI Last login: Tue Mar 3 01:34:58 2020 from 38.117.134.17 NetBSD 9.99.48 (QUASAR) #89: Mon Mar 2 11:59:03 EST 2020 Welcome to NetBSD! For firefox follow the instructions on the internet. I am currently rebuilding mine because it core-dumps all the time... so I have not tested it yet. Enjoy, christos Useful pages: https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html https://developers.yubico.com/pam-u2f/
