freebsd-nq/tools
Ed Maste e9a994639b ssh: enable FIDO/U2F keys
Description of FIDO/U2F support (from OpenSSH 8.2 release notes,
https://www.openssh.com/txt/release-8.2):

  This release adds support for FIDO/U2F hardware authenticators to
  OpenSSH. U2F/FIDO are open standards for inexpensive two-factor
  authentication hardware that are widely used for website
  authentication.  In OpenSSH FIDO devices are supported by new public
  key types "ecdsa-sk" and "ed25519-sk", along with corresponding
  certificate types.

  ssh-keygen(1) may be used to generate a FIDO token-backed key, after
  which they may be used much like any other key type supported by
  OpenSSH, so long as the hardware token is attached when the keys are
  used. FIDO tokens also generally require the user explicitly
  authorise operations by touching or tapping them.

  Generating a FIDO key requires the token be attached, and will
  usually require the user tap the token to confirm the operation:

    $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
    Generating public/private ecdsa-sk key pair.
    You may need to touch your security key to authorize key generation.
    Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
    Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

  This will yield a public and private key-pair. The private key file
  should be useless to an attacker who does not have access to the
  physical token. After generation, this key may be used like any
  other supported key in OpenSSH and may be listed in authorized_keys,
  added to ssh-agent(1), etc. The only additional stipulation is that
  the FIDO token that the key belongs to must be attached when the key
  is used.

To enable FIDO/U2F support, this change regenerates ssh_namespace.h,
adds ssh-sk-helper, and sets ENABLE_SK_INTERNAL (unless building
WITHOUT_USB).

devd integration is not included in this change, and is under
investigation for the base system.  In the interim the security/u2f-devd
port can be installed to provide appropriate devd rules.

Reviewed by:	delphij, kevans
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32509
2021-11-04 13:01:44 -04:00
..
boot CI: add arm64 support to ci-qemu-test.sh 2021-06-26 14:26:41 -04:00
bsdbox ncurses: only keep the version with widechar support 2021-01-05 14:01:32 +01:00
build ssh: enable FIDO/U2F keys 2021-11-04 13:01:44 -04:00
bus_space
coccinelle copystr(9): Move to deprecate (attempt #2) 2020-05-25 16:40:48 +00:00
debugscripts since kld_deb.py was removed a while back, this script isn't useful 2020-08-11 22:33:56 +00:00
diag The fsdb(8) utility uses the fsck_ffs(8) disk I/O interfaces, so 2020-09-19 20:06:12 +00:00
ifnet
kerneldoc Retire obsolete iscsi_initiator(4) 2021-10-26 16:17:35 -04:00
LibraryReport
lua Move ifconfig SFP status functionality into libifconfig 2020-08-09 16:27:28 +00:00
pkgbase Add pkgbase METALOG parse/check tool 2020-05-10 16:11:19 +00:00
regression Fix a few typos in source code comments 2021-08-14 09:39:17 +02:00
sched
test stress2: Added a regression test 2021-10-29 09:04:49 +00:00
tools crypto: Support Chacha20-Poly1305 with a nonce size of 8 bytes. 2021-10-06 14:08:49 -07:00
uma/smrstress Fix the smrstress build after r358400. 2020-08-05 17:26:20 +00:00
install.sh
make_libdeps.sh
README
tinder.sh

$FreeBSD$

This directory tree contains tools used for the maintenance and
testing of FreeBSD.  There is no toplevel Makefile structure since
these tools are not meant to be built as part of the standard system,
though there may be individual Makefiles in some of the subdirs.

Please read the README files in the subdirs for further information.