bake your own security key
This guide shows how to create a FIDO Security Key with OpenSK and a Makerdiary nRF52840 MDK USB Dongle.
Flash OpenSK on the Makerdiary nRF52840 Security Key
apt install libffi-dev
- install rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
exec $SHELL
- install pyenv (only once)
curl https://pyenv.run | bash
- add to ~/.bashrc
export PATH="/home/mtron/.pyenv/bin:$PATH"
eval "$(pyenv init -)"
eval "$(pyenv virtualenv-init -)"
- install python version
pyenv install 3.8.3
pyenv global 3.8.3
- install python modules
pip install tockloader
pip install six
pip install intelhex
pip install colorama
pip install nrfutil
- prepare OpenSK
cd work
git clone https://github.com/google/OpenSK.git
cd OpenSK/
./setup.sh
echo $PATH
sudo -s
source /home/mtron/.bashrc
PATH="/home/mtron/.pyenv/plugins/pyenv-virtualenv/shims:/home/mtron/.pyenv/shims:/home/mtron/.pyenv/bin:/home/mtron/.cargo/bin:/home/mtron/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
After the setup.sh step your generated keys are in the crypto_data subfolder. If desired replace them before flashing.
-build tokos and opensk app and flash to stick
./deploy.py --board nrf52840_mdk_dfu --opensk --programmer nordicdfu
Add udev Rule
re-plug the Stick and call dmesg. You will see a output like:
[ 7339.418757] hid-generic 0003:1915:521F.0007: hiddev0,hidraw3: USB HID v1.10 Device [Nordic Semiconductor ASA OpenSK] on usb-0000:00:14.0-12/input0
Now create a UDEV rule :
vim /etc/udev/rules.d/55-opensk.rules
SUBSYSTEM=="hidraw", SUBSYSTEMS=="usb", ATTRS{idVendor}=="1915", ATTRS{idProduct}=="521f", ATTRS{product}=="OpenSK", MODE="0660", GROUP="logindev", TAG+="uaccess"
Test the key
https://demo.yubico.com/webauthn-technical
Use the key for SSH
Requires OpenSSH > 8.2
If not available:
- install openssh portable
git clone https://github.com/openssh/openssh-portable.git --depth=1
cd openssh-portable
autoreconf
./configure --with-pam --with-security-key-builtin --prefix=/opt/openssh-portable
make -j 4
sudo checkinstall
- generate public key for security key on client:
/opt/openssh-8.2/bin/ssh-keygen -t ecdsa-sk -C "$(hostname)-$(date +'%d-%m-%Y')-sk"
=> generates ~/.ssh/id_ecdsa_sk and ~/.ssh/id_ecdsa_sk.pub
- put pubkey in authorized keys on desthost
- adjust sshd options on desthost
vim /opt/openssh-8.2/etc/sshd_config
...
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com
...
- start openssh server on desthost
sudo /opt/openssh-8.2/sbin/sshd -d -f /opt/openssh-8.2/etc/sshd_config -p 1225
- connect to desthost
/opt/openssh-8.2/bin/ssh -i ~/.ssh/id_ecdsa_sk -p 1225 <user>@<desthost>
Use the Key for PAM (sudo and Login)
- install the u2f pam module
sudo add-apt-repository ppa:yubico/stable && sudo apt update sudo apt install libpam-u2f
- Create the configuration folder for the keys storage:
mkdir ~/.config/Yubico
It is important that it is called Yubico exactly as here, as the pam module is hardcoded to use this location.
- register the key fingerprint with pam:
pamu2fcfg > ~/.config/Yubico/u2f_keys
or to add another key:pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
change the pam config file for sudo
sudo vim /etc/pam.d/sudo
Find a line near the begining of the file that looks like:
@include common-auth
and add the following line right after it:
auth required pam_u2f.so
change pam config for desktop login
look for the pam config file called : /etc/pam.d/gdm-password # if you use gdm for login
/etc/pam.d/lightdm # if you use lightdm Add the line to the file the same way and same location as described above for sudo.
After this point you can log out of your desktop and then try to login again.
You login will fail if you do not have the solokey inserted in the USB port.
The key will blink after you inserted your password and then you need to press the button to get fully logged into your desktop.