tigernero
Posts: 237
Joined: Fri Dec 30, 2016 5:51 pm

openssh 8.2 enables u2f / fido2 tokens

Sat Feb 15, 2020 7:50 pm

I am a happy owner of 2 yubico u2f / fido2 keys and the idea of ​​being able to use them to authenticate myself on my ssh session drives me crazy with joy.

on raspbian we are stuck at release 7.9.

when will 8.2 be released on Valentine's Day?

is there a way to manually update raspbian openssh? thanks to who will answer me.

Source:

https://www.openssh.com/txt/release-8.2

tpyo kingg
Posts: 996
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: openssh 8.2 enables u2f / fido2 tokens

Sat Feb 15, 2020 8:30 pm

There doesn't seem to be a buster-backports repository for Raspian, and upstream in Debian the buster-backports repository does not seem to have the package OpenSSH-server ... at least not yet.

So that would leave building it from source using apt-src. However, there does not seem to be a source package for it in the Raspbian repository, and the OpenPGP keys are missing from Raspbian for the plain Debian sources. Otherwise it might be possible to drop in the new tar ball and finish the build.

I've tested the FIDO keys on OpenBSD already and it is dreadfully simple to implement. So the hard part will be getting OpenSSH 8.2p into Raspbian.

tigernero
Posts: 237
Joined: Fri Dec 30, 2016 5:51 pm

Re: openssh 8.2 enables u2f / fido2 tokens

Sat Feb 15, 2020 8:37 pm

I managed to implement u2f/fido at raspbian login and yubico OTP always at raspbian login.

yubico OTP provides online validation with their Server so I can remotely access raspbian by logging in with vnc and yubico top like 2fa.

I have to understand through them Pam libraries how to do for ssh arm.

but with 8.2 read that it would work a bit like public and private key certificates.

tpyo kingg
Posts: 996
Joined: Mon Apr 09, 2018 5:26 pm
Location: N. Finland

Re: openssh 8.2 enables u2f / fido2 tokens

Sun Feb 16, 2020 5:24 am

Yes, the instructions in the release notes you link to in your post above work (on systems with OpenSSH 8.2) and are very easy to follow. It is like making a normal SSH key pair except for the key type and the need to touch the hardware token once to finish the process. I can't say about SSH certificates and FIDO but presume that it is like it was before but with similar changes. PAM is better than what was earlier but is still not pleasant or easy or fully standardized.

Paapaa
Posts: 3
Joined: Sat Aug 18, 2018 6:37 pm

Re: openssh 8.2 enables u2f / fido2 tokens

Wed Feb 10, 2021 6:10 pm

Any progress regarding openssh 8.2 for Raspbian? I'd love to be able to use a ed25519-sk key for ssh connectons. Ie. a key which would require my yubikey to be plugged in for 2FA when connecting.

fruitoftheloom
Posts: 27225
Joined: Tue Mar 25, 2014 12:40 pm

Re: openssh 8.2 enables u2f / fido2 tokens

Wed Feb 10, 2021 6:36 pm

Paapaa wrote:
Wed Feb 10, 2021 6:10 pm
Any progress regarding openssh 8.2 for Raspbian? I'd love to be able to use a ed25519-sk key for ssh connectons. Ie. a key which would require my yubikey to be plugged in for 2FA when connecting.

A lot changes in a year :?


If you have an ARMv8 Raspberry Pi then you could run Raspberry Pi ARM64 Beta Testing Operating System and as it is based of Debian Buster ARM64 you could use Backports:

https://packages.debian.org/source/bust ... ts/openssh

http://downloads.raspberrypi.org/raspio ... 020-08-24/
Take what I advise as advice not the utopian holy grail, and it is gratis !!

Paapaa
Posts: 3
Joined: Sat Aug 18, 2018 6:37 pm

Re: openssh 8.2 enables u2f / fido2 tokens

Wed Feb 10, 2021 8:21 pm

fruitoftheloom wrote:
Wed Feb 10, 2021 6:36 pm
A lot changes in a year :?


If you have an ARMv8 Raspberry Pi then you could run Raspberry Pi ARM64 Beta Testing Operating System and as it is based of Debian Buster ARM64 you could use Backports:

https://packages.debian.org/source/bust ... ts/openssh

http://downloads.raspberrypi.org/raspio ... 020-08-24/
Thanks for the tip: it actually worked! I used the Raspios version I already had:

https://downloads.raspberrypi.org/raspi ... 021-01-12/

So no need to reinstall anything. This is what I did:
  • added Backports to sources.list file
  • added the missing public keys as complained after running apt update using apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [ID] command
  • installed openssh-sftp-server/buster-backports (required by openssh-server)
  • installed openssh-server/buster-backports
  • added the ed25519-sk key to my authorized_keys
And it worked just fine. Ie. I need to have now my Yubikey plugged in and I need to tap it to be able SSH to Raspberry.

fruitoftheloom
Posts: 27225
Joined: Tue Mar 25, 2014 12:40 pm

Re: openssh 8.2 enables u2f / fido2 tokens

Wed Feb 10, 2021 8:51 pm

Paapaa wrote:
Wed Feb 10, 2021 8:21 pm
fruitoftheloom wrote:
Wed Feb 10, 2021 6:36 pm
A lot changes in a year :?


If you have an ARMv8 Raspberry Pi then you could run Raspberry Pi ARM64 Beta Testing Operating System and as it is based of Debian Buster ARM64 you could use Backports:

https://packages.debian.org/source/bust ... ts/openssh

http://downloads.raspberrypi.org/raspio ... 020-08-24/
Thanks for the tip: it actually worked! I used the Raspios version I already had:

https://downloads.raspberrypi.org/raspi ... 021-01-12/

So no need to reinstall anything. This is what I did:
  • added Backports to sources.list file
  • added the missing public keys as complained after running apt update using apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [ID] command
  • installed openssh-sftp-server/buster-backports (required by openssh-server)
  • installed openssh-server/buster-backports
  • added the ed25519-sk key to my authorized_keys
And it worked just fine. Ie. I need to have now my Yubikey plugged in and I need to tap it to be able SSH to Raspberry.


Good it worked but as RaspiOS32 is based of Raspbian and a recompiled version of Debian ARMv7 ARMHF, to be compatible with ARMv6 / v7 / V8, using pure Debian can sometimes cause issues due to conflicts with Raspbian packages..


That is why I run RaspiOS64 not RaspiOS32.
Take what I advise as advice not the utopian holy grail, and it is gratis !!

Return to “Raspberry Pi OS”