Re: OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)
Btw, thanks for this site link, may be something like: https://web.archive.org/web/20200513115537/https://undeadly.org/cgi?action=article&sid=20190302235509 could work. > On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote: > >> Thanks for your suggestion, >> >> but googling for keys: +openbsd +nitrokey >> >> does not indicate anything interesting except a few of my own questions on >> the Nitrokey support forum. > > I had to look up "Nitrokey" to verify that it was what I thought it was, but > that had me > do a quick search for "OpenSSH FIDO support", which turned up among other > things this > article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well > as a number > of blog posts and HOWTO-ish pieces that seem to indicate that quite likely > the combination > would work. > > I haven't tried the thing myself, but you should be able to find the same > stuff I did > on the web. Then you could probably find a way to test with an OpenBSD setup > in a way > that does not break things too horribly in case anything fails. > > All the best, > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)
Thanks for suggestion, I already have seen it and even contacted SSH developer Damien Miller regarding FIDO key support a few weeks ago. What I am looking for right now is something different, it is if ssh-pkcs11-helper works with SSHD daemon on OpenBSD to store there its server private key in a general Nitrokey Pro 2 (not HSM). Btw, I am going to use several client side dongles at once for a single SSH session like Rutoken ECP2, FIDO2, and Nitrokey Pro 2 only on the server yet. > On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote: > >> Thanks for your suggestion, >> >> but googling for keys: +openbsd +nitrokey >> >> does not indicate anything interesting except a few of my own questions on >> the Nitrokey support forum. > > I had to look up "Nitrokey" to verify that it was what I thought it was, but > that had me > do a quick search for "OpenSSH FIDO support", which turned up among other > things this > article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well > as a number > of blog posts and HOWTO-ish pieces that seem to indicate that quite likely > the combination > would work. > > I haven't tried the thing myself, but you should be able to find the same > stuff I did > on the web. Then you could probably find a way to test with an OpenBSD setup > in a way > that does not break things too horribly in case anything fails. > > All the best, > > -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
OpenSSH FIDO (Nitrokey) support (Was: Re: OpenBSD insecurity rumors from isopenbsdsecu.re)
On Wed, May 13, 2020 at 12:59:26PM +0200, i...@aulix.com wrote: > Thanks for your suggestion, > > but googling for keys: +openbsd +nitrokey > > does not indicate anything interesting except a few of my own questions on > the Nitrokey support forum. I had to look up "Nitrokey" to verify that it was what I thought it was, but that had me do a quick search for "OpenSSH FIDO support", which turned up among other things this article: https://undeadly.org/cgi?action=article;sid=20191115064850 as well as a number of blog posts and HOWTO-ish pieces that seem to indicate that quite likely the combination would work. I haven't tried the thing myself, but you should be able to find the same stuff I did on the web. Then you could probably find a way to test with an OpenBSD setup in a way that does not break things too horribly in case anything fails. All the best, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
