Re: OpenSSH U2F/FIDO support in base

2019-11-24 Thread Christian Weisgerber 
Ross L Richardson:

> Question: Given that the private key file contains only a "key handle",
> what's the significance of setting a passphrase for it?  Is there enough
> information in it for that to be considered a "factor" in multi-factor auth?

TL;DR: In practice, yes.

A U2F authenticator does not hold a single key pair.  Instead it
can issue numerous authentication key pairs.  The handle is required
so the authenticator can retrieve the relevant private key.  How
exactly it does this is up to the implementor.

Each time a key pair is requested, an authenticator could stash the
private key in an array in internal storage and return a simple
index as key handle.  This would allow all private key indices to
be enumerated.  An attacker in possession of both the authenticator
and the public key could re-create the key handle by trying all
private keys until finding the one matching the public key.

A different approach allows supporting an unlimited number of key
pairs without requiring any internal storage.  The authenticator
can use a device-internal secret and the key handle to rederive the
private key each time a signature is requested.  For instance, the
key handle could contain the actual private key encrypted with the
authenticator's master key.  This is explicitly mentioned in the
U2F spec.  In such a case, possession of the authenticator alone
would be worthless without the SSH private key file.

I expect the latter scheme to be the norm, but I can't be certain
what kind of U2F authenticators are out there.  The key handle
returned by the Yubico Security Key is a 64-byte blob.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: OpenSSH U2F/FIDO support in base

2019-11-24 Thread Ross L Richardson 
On Fri, Nov 15, 2019 at 08:45:23AM +1100, Damien Miller wrote:
> Hi,
>[...]
> Please test this thoroughly - it's a big change that we want to have
> stable before the next release.
> 
> -d
> 

Works well for me with an old (ECDSA-SK-only) Yubico Security Key.

Observation: I guess it's unavoidable, but the behaviour of the "Confirm
user presence" [ssh-askpass] dialog seems a little odd, insomuch as
"Cancel" has the same effect as "OK" (AFAICT).

Question: Given that the private key file contains only a "key handle",
what's the significance of setting a passphrase for it?  Is there enough
information in it for that to be considered a "factor" in multi-factor auth?

Thanks,
Ross

Re: OpenSSH U2F/FIDO support in base

2019-11-20 Thread Daniel Jakots 
On Fri, 15 Nov 2019 08:45:23 +1100 (AEDT), Damien Miller
 wrote:

> Please test this thoroughly - it's a big change that we want to have
> stable before the next release.

Tested with a Solo key. Initially it had the firmware 2.0.0 and it
didn't work but updating to 3.0.0 made it work.

Cheers,
Daniel

Re: OpenSSH U2F/FIDO support in base

2019-11-16 Thread Greg Steuck 
Testing as requested on amd64:
OpenBSD 6.6-current (GENERIC.MP) #467: Fri Nov 15 11:40:42 MST 2019
Using:
uhidev0 at uhub0 port 4 configuration 1 interface 0 "Yubico Security
Key by Yubico" rev 2.00/4.27 addr 7

Auth is working great with the key plugged in. With the key missing
the error reporting is somewhat suboptimal:

% ssh localhost
Confirm user presence for key ECDSA-SK
SHA256:25FkQCOsI334w5FTpWWm/djRUVhcqVFKhzS4GPnH/FQ
sign_and_send_pubkey: signing failed: unexpected internal error
greg@localhost: Permission denied (publickey,keyboard-interactive).

Waiting for the user to plug (one of?) the keys in would be awesome
provided enough API flexibility exists for that to work.

Thanks
Greg
-- 
nest.cx is Gmail hosted, use PGP: https://pgp.key-server.io/0x0B1542BD8DF5A1B0
Fingerprint: 5E2B 2D0E 1E03 2046 BEC3  4D50 0B15 42BD 8DF5 A1B0

OpenSSH U2F/FIDO support in base

2019-11-14 Thread Damien Miller 
Hi,

I just committed all the dependencies for OpenSSH security key (U2F)
support to base and tweaked OpenSSH to use them directly. This means
there will be no additional configuration hoops to jump through to use
U2F/FIDO2 security keys.

Hardware backed keys can be generated using "ssh-keygen -t ecdsa-sk"
(or "ed25519-sk" if your token supports it). Many tokens require to be
touched/tapped to confirm this step.

You'll get a public/private keypair back as usual, except in this case,
the private key file does not contain a highly-sensitive private key but
instead holds a "key handle" that is used by the security key to derive
the real private key at signing time.

So, stealing a copy of the private key file without also stealing your
security key (or access to it) should not give the attacker anything.

Once you have generated a key, you can use it normally - i.e. add it to
an agent, copy it to your destination's authorized_keys files (assuming
they are running -current too), etc. At authentication time, you will be
prompted to tap your security key to confirm the signature operation -
this makes theft-of-access attacks against security keys more difficult
too.

Please test this thoroughly - it's a big change that we want to have
stable before the next release.

-d