Browse Source

openssh: Add FIDO2 hardware token support

Version 8.2[0] added support for two new key types: "ecdsa-sk" and
"ed25519-sk". These two type enable the usage of hardware tokens that
implement the FIDO (or FIDO2) standard, as an authentication method for
SSH.

Since we're already on version 8.4 all we need to do is to explicitly enable
the support for hardware keys when compiling OpenSSH and add all the
missing dependencies OpenSSH requires.

OpenSSH depends on libfido2[1], to communicate with the FIDO devices
over USB. In turn, libfido2 depends on libcbor, a C implementation of
the CBOR protocol[2] and OpenSSL.

[0]: https://lwn.net/Articles/812537/
[1]: https://github.com/Yubico/libfido2
[2]: tools.ietf.org/html/rfc7049

Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>
lilik-openwrt-22.03
Linos Giannopoulos 4 years ago
parent
commit
855db864b0
2 changed files with 25 additions and 4 deletions
  1. +12
    -0
      net/openssh/Config.in
  2. +13
    -4
      net/openssh/Makefile

+ 12
- 0
net/openssh/Config.in View File

@ -0,0 +1,12 @@
if PACKAGE_openssh-server
config OPENSSH_LIBFIDO2
bool
default y
prompt "Include libfido2 support in openssh-server"
help
OpenSSH version 8.2 added two new ssh authentication methods,
namely `ecdsa_sk` and `ed25519_sk`. These two methods make use
of hardware keys that implement the FIDO and FIDO2 protocols.
In order to use these two types, libfido2 is required.
endif

+ 13
- 4
net/openssh/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=openssh PKG_NAME:=openssh
PKG_VERSION:=8.4p1 PKG_VERSION:=8.4p1
PKG_RELEASE:=3
PKG_RELEASE:=4
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@ -21,6 +21,10 @@ PKG_LICENSE_FILES:=LICENCE
PKG_CPE_ID:=cpe:/a:openssh:openssh PKG_CPE_ID:=cpe:/a:openssh:openssh
PKG_REMOVE_FILES:= PKG_REMOVE_FILES:=
PKG_CONFIG_DEPENDS := \
CONFIG_OPENSSH_LIBFIDO2
PKG_BUILD_DEPENDS += OPENSSH_LIBFIDO2:libfido2
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
@ -82,11 +86,15 @@ endef
define Package/openssh-server define Package/openssh-server
$(call Package/openssh/Default) $(call Package/openssh/Default)
DEPENDS+= +openssh-keygen
DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2
TITLE+= server TITLE+= server
USERID:=sshd=22:sshd=22 USERID:=sshd=22:sshd=22
endef endef
define Package/openssh-server/config
source "$(SOURCE)/Config.in"
endef
define Package/openssh-server/description define Package/openssh-server/description
OpenSSH server. OpenSSH server.
endef endef
@ -164,8 +172,9 @@ CONFIGURE_ARGS += \
--without-bsd-auth \ --without-bsd-auth \
--without-kerberos5 \ --without-kerberos5 \
--with-stackprotect \ --with-stackprotect \
--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine
--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \
--with$(if $(CONFIG_OPENSSH_LIBFIDO2),,out)-security-key-builtin
ifeq ($(BUILD_VARIANT),with-pam) ifeq ($(BUILD_VARIANT),with-pam)
CONFIGURE_ARGS += \ CONFIGURE_ARGS += \
--with-pam --with-pam


Loading…
Cancel
Save