Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#12001 Add OpenSSH FIDO2 security key support for server-side auth #12002

Draft
wants to merge 3 commits into
base: trunk
Choose a base branch
from
Draft

#12001 Add OpenSSH FIDO2 security key support for server-side auth #12002

wants to merge 3 commits into from

Conversation

adiroiban
Copy link
Member

@adiroiban adiroiban commented Sep 24, 2023
edited

Scope and purpose

Fixes #12001

This is a draft / prototype

I just created this code to see if someone else is interested in this feature.

How to test

with a Yubikey 5 (or one supporting FIDO2, the old ones don't work) generate a new Security key via your OpenSSH client.

ssh-keygen -t ecdsa-sk -O resident -O application=ssh:ecdsa-fido2-test

You will end up with a privake key reference (not the full private key) file and a public key file.

Add the public key file to Twisted SSH example server.

Start the server and then using OpenSSH client you can just use it as

# clean ssh hosts
ssh-keygen -f ~/.ssh/known_hosts -R "[localhost]:5022"
# try to connect
# OpenSSH will prompt to touch the security key
# Twisted SSH server will not prompt for password
ssh -p 5022 -i ~/.ssh/id_ecdsa_sk user@localhost

Todo

  • Cleanup the code
  • Break into separate PR...maybe one in which keys.Key() has support to load public keys from string and blob
  • Create a separate PR to generate a SSH key or see if we can have this done in cryptography
  • Add tests

@adiroiban adiroiban marked this pull request as draft September 24, 2023 23:05
@adiroiban
Copy link
Member Author

I have created this PR as a POC.

If anyone is interested into this, please add a comment and we can discuss the design and I would be happy to continue with breaking the PR into smaller parts... for example just update the example documentation to make it as easy as possible to run a demo SSH server... or the API to generate SSH keys on the fly without going via src/twisted/conch/scripts/ckeygen.py

@simonepelosi
Copy link

I'm very happy to help with this :) but I'm a new contributor, so let me know if I can start from that

@adiroiban
Copy link
Member Author

Hi @simonepelosi I think the most important part of this, is make sure the changes looks good

I think that looking at the example file from the docs, is a good start.

Being a new contributor, can help a lot, as you might be able to provide some fresh info about the quality of our examples.

I am already quite familiar with Twisted SSH server and I am not sure which part is not clear, which is missing

Also, I think that you can start by testing this branch with your FIDO2 key.
I have tested it with 5th gen USB-C mini yubikey.

I plan to break this into multiple PRs and have it merged in that way

For example, have a separate PR to update just the example server, as that part is not really related to security keys

@simonepelosi
Copy link

Thank you @adiroiban, I will start reading docs and examples and giving info (if possible) about the quality of your examples!

I'm still waiting for my OnlyKey hardware, thus at moment I don't have a FIDO2 key unfortunately

@simonepelosi
Copy link

@adiroiban Hey! My first delivery was lost, I reordered my OnlyKey hardware this week. I'm still interested in contributing :)

@adiroiban
Copy link
Member Author

Hi Simone. thanks for your interest in this PR.

You can start by giving the code from this PR a try and see if it works for you.

Next, I need to create smaller PR to cleanup the code, document the key format and add autoamted tests... and for that I need someone to review the code.

Cheers

@simonepelosi
Copy link

Hey! Sure, I received my hardware today so I can start to test the code properly and I'll let you know

@simonepelosi
Copy link

simonepelosi commented Feb 29, 2024
edited

I tested it with my OnlyKey hardware following the steps you mentioned with little changes:

I used the following command to generate the key with OnlyKey hardware, I used a different algorithm (ed25519-sk) since the one @adiroiban mentioned (ecdsa-sk) didn't work well with my hardware.

ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_mykey_sk

The I used the command you mentioned to connect to the local twisted ssh instance and this is the output:

2024-02-29 09:59:49+0100 [-] Log opened.
2024-02-29 09:59:49+0100 [-] ExampleFactory starting on 5022
2024-02-29 09:59:49+0100 [-] Starting factory <__main__.ExampleFactory object at 0x7f82e8474fd0>
2024-02-29 09:59:57+0100 [-] kex alg=b'curve25519-sha256' key alg=b'rsa-sha2-512'
2024-02-29 09:59:57+0100 [-] outgoing: b'aes128-ctr' b'hmac-sha2-256' b'none'
2024-02-29 09:59:57+0100 [-] incoming: b'aes128-ctr' b'hmac-sha2-256' b'none'
2024-02-29 09:59:59+0100 [-] NEW KEYS
2024-02-29 09:59:59+0100 [-] starting service b'ssh-userauth'
2024-02-29 09:59:59+0100 [-] b'user' trying auth b'none'
2024-02-29 09:59:59+0100 [-] b'user' trying auth b'publickey'
2024-02-29 10:00:02+0100 [-] b'user' trying auth b'publickey'
2024-02-29 10:00:02+0100 [-] b'user' authenticated with b'publickey'
2024-02-29 10:00:02+0100 [-] starting service b'ssh-connection'
2024-02-29 10:00:02+0100 [-] got channel b'session' request
2024-02-29 10:00:02+0100 [-] channel open
2024-02-29 10:00:02+0100 [-] Handling pty request: b'xterm-256color' (43, 144, 0, 0)
2024-02-29 10:00:02+0100 [-] Getting shell

I'm able to connect using my FIDO2 key, test suite also is working nice locally.

@adiroiban
Copy link
Member Author

adiroiban commented Feb 29, 2024
edited

Hi. It looks good.

I don't know when I will have time to work on this code, cleaup the code, write automated tests... etc.

I have looked in this as a weekend toy project .

If you want to see this implemented in twisted, I can help with the review.

Also, we can break this into 3 separate issues/PR:

  • Update the server example to make it easy to provide your authorized public key file.
  • Update keys.py file to load/read a security-key from BLOB format and add tests
  • Update userauth.py and add tests

The example change would be to allow reading the public key from an external file, so that you don't have to modify the .py source file

@simonepelosi
Copy link

Hey! It makes sense, I'm really happy to help with that if you want 💪🏽

@adiroiban Do you have suggestions on how I can start with that?

@adiroiban
Copy link
Member Author

Hi. You can start by creating a new GitHub issue dedicated to updating the example

The current example from trunk read the authorized_keys from a static path CLIENT_RSA_PUBLIC = "ssh-keys/client_rsa.pub"
It would be nice to either pass the path or maybe the content of the authorized public key at command line.

The example from this PR automatically generated a server host key, so it more self-contained

After the ticket is created you can create a PR, starting with the code from this PR... or feel free to add any improvement to the example server

The idea is to get used with the Twisted dev process and review process

Thanks

@simonepelosi
Copy link

Thank you a lot @adiroiban ! I will do it as soon as I have a free time

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add support for FIDO2 pubkey auth for SSH server
3 participants
@adiroiban @simonepelosi @glyph