New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#12001 Add OpenSSH FIDO2 security key support for server-side auth #12002
base: trunk
Are you sure you want to change the base?
Conversation
I have created this PR as a POC. If anyone is interested into this, please add a comment and we can discuss the design and I would be happy to continue with breaking the PR into smaller parts... for example just update the example documentation to make it as easy as possible to run a demo SSH server... or the API to generate SSH keys on the fly without going via src/twisted/conch/scripts/ckeygen.py |
I'm very happy to help with this :) but I'm a new contributor, so let me know if I can start from that |
Hi @simonepelosi I think the most important part of this, is make sure the changes looks good I think that looking at the example file from the docs, is a good start. Being a new contributor, can help a lot, as you might be able to provide some fresh info about the quality of our examples. I am already quite familiar with Twisted SSH server and I am not sure which part is not clear, which is missing Also, I think that you can start by testing this branch with your FIDO2 key. I plan to break this into multiple PRs and have it merged in that way For example, have a separate PR to update just the example server, as that part is not really related to security keys |
Thank you @adiroiban, I will start reading docs and examples and giving info (if possible) about the quality of your examples! I'm still waiting for my OnlyKey hardware, thus at moment I don't have a FIDO2 key unfortunately |
@adiroiban Hey! My first delivery was lost, I reordered my OnlyKey hardware this week. I'm still interested in contributing :) |
Hi Simone. thanks for your interest in this PR. You can start by giving the code from this PR a try and see if it works for you. Next, I need to create smaller PR to cleanup the code, document the key format and add autoamted tests... and for that I need someone to review the code. Cheers |
Hey! Sure, I received my hardware today so I can start to test the code properly and I'll let you know |
I tested it with my OnlyKey hardware following the steps you mentioned with little changes: I used the following command to generate the key with OnlyKey hardware, I used a different algorithm (
The I used the command you mentioned to connect to the local twisted ssh instance and this is the output:
I'm able to connect using my FIDO2 key, test suite also is working nice locally. |
Hi. It looks good. I don't know when I will have time to work on this code, cleaup the code, write automated tests... etc. I have looked in this as a weekend toy project . If you want to see this implemented in twisted, I can help with the review. Also, we can break this into 3 separate issues/PR:
The example change would be to allow reading the public key from an external file, so that you don't have to modify the .py source file |
Hey! It makes sense, I'm really happy to help with that if you want 💪🏽 @adiroiban Do you have suggestions on how I can start with that? |
Hi. You can start by creating a new GitHub issue dedicated to updating the example The current example from trunk read the authorized_keys from a static path The example from this PR automatically generated a server host key, so it more self-contained After the ticket is created you can create a PR, starting with the code from this PR... or feel free to add any improvement to the example server The idea is to get used with the Twisted dev process and review process Thanks |
Thank you a lot @adiroiban ! I will do it as soon as I have a free time |
Scope and purpose
Fixes #12001
This is a draft / prototype
I just created this code to see if someone else is interested in this feature.
How to test
with a Yubikey 5 (or one supporting FIDO2, the old ones don't work) generate a new Security key via your OpenSSH client.
ssh-keygen -t ecdsa-sk -O resident -O application=ssh:ecdsa-fido2-test
You will end up with a privake key reference (not the full private key) file and a public key file.
Add the public key file to Twisted SSH example server.
Start the server and then using OpenSSH client you can just use it as
Todo