bake your own security key

This guide shows how to create a FIDO Security Key with OpenSK and a Makerdiary nRF52840 MDK USB Dongle.

Flash OpenSK on the Makerdiary nRF52840 Security Key

apt install libffi-dev

- install rust

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

source $HOME/.cargo/env

exec $SHELL

- install pyenv (only once)

curl https://pyenv.run | bash

- add to ~/.bashrc

export PATH="/home/mtron/.pyenv/bin:$PATH"

eval "$(pyenv init -)"

eval "$(pyenv virtualenv-init -)"

- install python version

pyenv install 3.8.3

pyenv global 3.8.3

- install python modules

pip install tockloader

pip install six

pip install intelhex

pip install colorama

pip install nrfutil

- prepare OpenSK

cd work

git clone https://github.com/google/OpenSK.git

cd OpenSK/

./setup.sh

echo $PATH

sudo -s

source /home/mtron/.bashrc

PATH="/home/mtron/.pyenv/plugins/pyenv-virtualenv/shims:/home/mtron/.pyenv/shims:/home/mtron/.pyenv/bin:/home/mtron/.cargo/bin:/home/mtron/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"

After the setup.sh step your generated keys are in the crypto_data subfolder. If desired replace them before flashing.

-build tokos and opensk app and flash to stick

./deploy.py --board nrf52840_mdk_dfu --opensk --programmer nordicdfu

Add udev Rule

re-plug the Stick and call dmesg. You will see a output like:

[ 7339.418757] hid-generic 0003:1915:521F.0007: hiddev0,hidraw3: USB HID v1.10 Device [Nordic Semiconductor ASA OpenSK] on usb-0000:00:14.0-12/input0

Now create a UDEV rule :

vim /etc/udev/rules.d/55-opensk.rules

SUBSYSTEM=="hidraw", SUBSYSTEMS=="usb", ATTRS{idVendor}=="1915", ATTRS{idProduct}=="521f", ATTRS{product}=="OpenSK", MODE="0660", GROUP="logindev", TAG+="uaccess"

Test the key

https://demo.yubico.com/webauthn-technical

Use the key for SSH

Requires OpenSSH > 8.2

If not available:

- install openssh portable

git clone https://github.com/openssh/openssh-portable.git --depth=1

cd openssh-portable

autoreconf

./configure --with-pam --with-security-key-builtin --prefix=/opt/openssh-portable

make -j 4

sudo checkinstall

- generate public key for security key on client:

/opt/openssh-8.2/bin/ssh-keygen -t ecdsa-sk -C "$(hostname)-$(date +'%d-%m-%Y')-sk"

=> generates ~/.ssh/id_ecdsa_sk and ~/.ssh/id_ecdsa_sk.pub

- put pubkey in authorized keys on desthost

- adjust sshd options on desthost

vim /opt/openssh-8.2/etc/sshd_config

...

PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com

...

- start openssh server on desthost

sudo /opt/openssh-8.2/sbin/sshd -d -f /opt/openssh-8.2/etc/sshd_config -p 1225

- connect to desthost

/opt/openssh-8.2/bin/ssh -i ~/.ssh/id_ecdsa_sk -p 1225 <user>@<desthost>

Use the Key for PAM (sudo and Login)

- install the u2f pam module

sudo add-apt-repository ppa:yubico/stable && sudo apt update sudo apt install libpam-u2f

- Create the configuration folder for the keys storage:

mkdir ~/.config/Yubico

It is important that it is called Yubico exactly as here, as the pam module is hardcoded to use this location.

- register the key fingerprint with pam:

pamu2fcfg > ~/.config/Yubico/u2f_keys

or to add another key:pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

change the pam config file for sudo

sudo vim /etc/pam.d/sudo

Find a line near the begining of the file that looks like:

@include common-auth

and add the following line right after it:

auth required pam_u2f.so

change pam config for desktop login

look for the pam config file called : /etc/pam.d/gdm-password # if you use gdm for login

/etc/pam.d/lightdm # if you use lightdm Add the line to the file the same way and same location as described above for sudo.

After this point you can log out of your desktop and then try to login again.

You login will fail if you do not have the solokey inserted in the USB port.

The key will blink after you inserted your password and then you need to press the button to get fully logged into your desktop.