search

Yubico / python-fido2

Provides library functionality for FIDO 2.0, including communication with a device over USB.
BSD 2-Clause "Simplified" License
432 stars 109 forks source link

Update openbsd to use fido(4) instead of uhid(4) #87

Closed worr closed 4 years ago

worr commented 4 years ago

OpenBSD (6.6-current and beyond) introduced a fido(4) device which greatly eases discovery and usage of fido devices. Additionally, some of the ioctl's required previously now require root privileges to execute on uhid(4) devices, while they do not require root on fido(4) devices.

The OpenBSD code never made it into a release, so rather than try and preserve compatibility, just convert in-place to use this new device.

Closes #85

nevun commented 4 years ago

Works for me on current.

OpenBSD 6.6-current (GENERIC) #613: Thu Feb  6 00:06:17 MST 2020
    deraadt@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
$ cd python-fido2/examples
$ python3 ./get_info.py  
CONNECT: CtapHidDevice(/dev/fido/0)
CTAPHID protocol version: 2
DEVICE INFO: Info(versions: ['U2F_V2', 'FIDO_2_0', 'FIDO_2_1_PRE'], extensions: ['credProtect', 'hmac-secret'], aaguid: h'f8a011f38c0a4d15800617111f9edc7d', options: {'rk': True, 'up': True, 'plat': False, 'clientPin': False, 'credentialMgmtPreview': True}, max_message_size: 1200, pin_protocols: [1], max_credential_count_in_list: 8, max_credential_id_length: 128, transports: ['nfc', 'usb'], algorithms: [{'alg': -7, 'type': 'public-key'}, {'alg': -8, 'type': 'public-key'}])
WINK sent!

$ ssh-keygen -vvvv -t ecdsa-sk                              
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
debug3: start_helper: started pid=28345
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/libexec/ssh-sk-helper 
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x01, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: ssh_sk_enroll: using device /dev/fido/0
debug3: ssh_sk_enroll: attestation cert len=742
debug1: ssh-sk-helper: reply len 1062
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=28345
Enter file in which to save the key (/home/user/.ssh/id_ecdsa_sk): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_ecdsa_sk
Your public key has been saved in /home/user/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:rKH8vXM5Mxr5ixY8o0G2HC1U3d5o0gAxQYaGWCLACYM user@foo.localdomain
$
dainnilsson commented 4 years ago

Thanks!