{"id":1053,"date":"2023-08-03T16:32:52","date_gmt":"2023-08-03T08:32:52","guid":{"rendered":"https:\/\/www.alextwl.idv.tw\/memo\/?p=1053"},"modified":"2023-08-05T22:13:34","modified_gmt":"2023-08-05T14:13:34","slug":"ssh-security-key-nfc-yubico-fido2","status":"publish","type":"post","link":"https:\/\/www.alextwl.idv.tw\/memo\/2023\/08\/ssh-security-key-nfc-yubico-fido2\/","title":{"rendered":"SSH \u5229\u7528 Security Key NFC by Yubico \u9032\u884c FIDO2 \u9a57\u8b49"},"content":{"rendered":"<p><a href=\"https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-scaled.jpeg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-300x300.jpeg\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-1062\" srcset=\"https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-300x300.jpeg 300w, https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-1024x1024.jpeg 1024w, https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-150x150.jpeg 150w, https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-768x768.jpeg 768w, https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-1536x1536.jpeg 1536w, https:\/\/www.alextwl.idv.tw\/memo\/media\/2023\/08\/IMG_7768-2048x2048.jpeg 2048w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>\u767c\u73fe\u6700\u8fd1\u5e7e\u5e74 OpenSSH \u958b\u59cb\u652f\u63f4 FIDO2 \u9a57\u8b49\uff0c\u65bc\u662f\u8cb7\u4e86\u4e00\u652f <a href=\"https:\/\/www.yubico.com\/tw\/product\/security-key-nfc-by-yubico-black\/\">Security Key NFC by Yubico<\/a> \u4f86\u8a66\u8a66\u3002(\u9019\u662f\u53ea\u6709 FIDO \u529f\u80fd\u7684\u5be6\u9ad4\u91d1\u9470\uff0c\u4e0d\u662f\u5b8c\u6574\u7248\u7684 Yubikey\u3002)<\/p>\n<p><!--more--><\/p>\n<h1>\u524d\u7f6e\u6e96\u5099<\/h1>\n<p>\u96d6\u7136\u4f7f\u7528 Security Key NFC (\u4e0b\u7a31 FIDO2 key) \u5728\u767b\u5165\u5404\u7a2e\u7db2\u9801\u670d\u52d9\u7684\u6642\u5019\u901a\u5e38\u4e0d\u9700\u8981\u8f38\u5165 FIDO2 PIN\uff0c\u4f46\u82e5\u60f3\u7528\u5728 SSH \u5247\u5fc5\u9808\u70ba\u5b83\u8a2d\u5b9a\u4e00\u7d44 PIN\u3002(\u7121\u8ad6\u5f8c\u7e8c\u767b\u5165 SSH \u662f\u5426\u8981\u6c42 PIN \u90fd\u9700\u8981\u8a2d\u5b9a\u3002)<\/p>\n<p>\u53c3\u7167 <a href=\"https:\/\/support.yubico.com\/hc\/en-us\/articles\/4402836718866-Understanding-YubiKey-PINs\">Understanding YubiKey PINs<\/a> \u7684\u8aaa\u660e\uff0c\u65b0\u7684 Key \u6c92\u6709\u8a2d\u5b9a\u521d\u59cb\u7684 FIDO2 PIN\uff0c\u65bc\u662f\u6211\u5011\u4f86\u70ba\u5b83\u8a2d\u5b9a\u4e00\u7d44 PIN\u3002<\/p>\n<blockquote><p>\u8a3b\uff1a\u7531\u65bc FIDO2 \u9a57\u8b49\u9700\u8981 OpenSSH 8.3 \u4ee5\u4e0a\u7248\u672c\uff0c\u6b64\u8655\u4f5c\u696d\u7cfb\u7d71\u74b0\u5883\u4ee5\u5b89\u88dd OpenSSH 8.9p1 \u7684 Ubuntu 22.04 LTS \u70ba\u4f8b\u3002<\/p>\n<p>\u96d6\u7136\u53c3\u8003\u6587\u4ef6\u63d0\u5230 OpenSSH 8.2p1 \u4ea6\u90e8\u4efd\u652f\u63f4 Non-discoverable key \u8a8d\u8b49\uff0c\u4f46\u7b46\u8005\u5728\u5b89\u88dd OpenSSH 8.2p1 \u7684 Ubuntu 20.04 LTS \u74b0\u5883\u53ea\u80fd\u5be6\u505a\u51fa\u300c\u89f8\u6478\u300dFIDO2 key \u5373\u5b8c\u6210\u9a57\u8b49\u7684\u8a2d\u5b9a\uff0c\u505a\u4e0d\u51fa\u300c\u6703\u8a62\u554f FIDO2 PIN\u300d\u7684\u8a2d\u5b9a\u3002<\/p><\/blockquote>\n<p>\u6211\u5011\u53ef\u4ee5\u4f7f\u7528 <b>ykman<\/b> (<a href=\"https:\/\/developers.yubico.com\/yubikey-manager\/\">YubiKey Manager CLI<\/a>) \u8a2d\u5b9a FIDO2 PIN\u3002\u4ee5 Ubuntu \u70ba\u4f8b\uff0c\u5f9e PPA \u5b89\u88dd ykman \u7684\u6307\u4ee4\u70ba\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nsudo apt-add-repository ppa:yubico\/stable\r\nsudo apt update\r\nsudo apt install yubikey-manager\r\n<\/pre>\n<p>\u5b89\u88dd\u5b8c\u6210\u5f8c\uff0c\u53ef\u4f7f\u7528 <code>ykman fido access change-pin<\/code> \u6307\u4ee4\u8a2d\u5b9a\u521d\u59cb FIDO2 PIN\uff0c\u4f8b\u5982\u5c07 PIN \u8a2d\u5b9a\u70ba\u300c123456\u300d\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nykman fido access change-pin --new-pin 123456\r\n<\/pre>\n<h1>Authenticator-hosted \u91d1\u9470\u7684\u5169\u7a2e\u6a21\u5f0f<\/h1>\n<p>\u53c3\u7167 <a href=\"https:\/\/developers.yubico.com\/SSH\/Securing_SSH_with_FIDO2.html\">Securing SSH with FIDO2<\/a> \u7684\u4ecb\u7d39\uff0c\u7d81\u5b9a FIDO2 \u7684 SSH key \u6709\u5169\u7a2e\u904b\u4f5c\u6a21\u5f0f\uff0c\u5206\u5225\u662f <b>Non-Discoverable<\/b> \u8207 <b>Discoverable (resident)<\/b> \u5169\u7a2e\u985e\u578b\u7684\u91d1\u9470\u3002<\/p>\n<p>Non-discoverable \u91d1\u9470\u6709\u4ee5\u4e0b\u7279\u9ede\uff1a<\/p>\n<ul>\n<li>SSH \u516c\u79c1\u9470 (\u5373\u7f6e\u65bc <code>~\/.ssh\/<\/code> \u7684 Identity file) \u8207 FIDO2 Key \u662f\u7d81\u5b9a\u5728\u4e00\u8d77\u7684\uff0c\u5982\u540c\u5176\u4ed6\u985e\u578b\u7684\u91d1\u9470\uff0c\u4e0d\u540c\u7684\u79c1\u9470<b>\u4e0d\u80fd<\/b>\u8ddf\u540c\u4e00\u7d44\u516c\u9470 + FIDO2 Key \u505a\u9a57\u8b49\u3002<\/li>\n<li>\u5c0d\u6ce8\u91cd\u96b1\u79c1\u7684\u4f7f\u7528\u8005\u4f86\u8aaa\uff0c\u5373\u4f7f\u907a\u5931\u4e86 FIDO2 key\uff0c\u82e5\u6c92\u6301\u6709\u5c0d\u61c9\u7684 SSH \u79c1\u9470\u4e5f\u4e0d\u6703\u88ab\u8aa4\u7528\u3002<\/li>\n<\/ul>\n<p>Discoverable (resident) \u91d1\u9470\u6709\u4ee5\u4e0b\u7279\u9ede\uff1a<\/p>\n<ul>\n<li>\u4e0d\u540c\u7684 SSH \u79c1\u9470\u53ef\u4ee5\u8ddf\u540c\u4e00\u7d44\u516c\u9470 + FIDO2 key \u505a\u9a57\u8b49\u3002<\/li>\n<li>\u9069\u5408\u5728\u4e0d\u540c\u7684\u672c\u5730\u7aef (\u5982\u516c\u7528\u96fb\u8166) \u4e0a\u4f7f\u7528\uff0c\u4e0d\u9700\u8981\u8907\u88fd\u539f\u672c\u7684\u79d8\u9470 (Identity file)\uff0c\u53ef\u4ee5\u96a8\u6642\u96a8\u5730\u7522\u751f\u8ddf FIDO2 key \u914d\u5c0d\u7684\u79c1\u9470\u5f8c\uff0cSSH \u767b\u5165\u9060\u7aef\u7684\u4f3a\u670d\u5668\u3002<\/li>\n<\/ul>\n<h1>\u4f7f\u7528 Non-discoverable \u91d1\u9470\u7684 FIDO2 key \u8a2d\u5b9a\u65b9\u6cd5<\/h1>\n<h2>\u672c\u5730\u7aef\u8a2d\u5b9a<\/h2>\n<ol>\n<li>\u5c07 FIDO2 key \u63d2\u5165\u96fb\u8166\u3002<\/li>\n<li>\u5728\u7d42\u7aef\u6a5f\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\u7522\u751f\u8ddf FIDO2 key \u914d\u5c0d\u7684 SSH \u516c\u79c1\u9470 (\u4ee5 ed25519 \u6f14\u7b97\u6cd5\u79d8\u9470\u70ba\u4f8b)\uff1a\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">ssh-keygen -t ed25519-sk -O verify-required<\/pre>\n<p>\u57f7\u884c\u904e\u7a0b\u5982\u4e0b\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~$ ssh-keygen -t ed25519-sk -O verify-required\r\nGenerating public\/private ed25519-sk key pair.\r\nYou may need to touch your authenticator to authorize key generation.\r\nEnter PIN for authenticator: (\u8f38\u5165 FIDO2 PIN\uff0c\u5982 123456)\r\n(\u6b64\u6642 FIDO2 key \u5be6\u9ad4\u9375\u6703\u9583\u720d\uff0c\u89f8\u6478\u5b83\u3002)\r\nEnter file in which to save the key (\/home\/alice\/.ssh\/id_ed25519_sk): \r\nEnter passphrase (empty for no passphrase): (\u70ba\u79c1\u9470\u8a2d\u5b9a\u5bc6\u78bc\uff0c\u53ef\u7559\u7a7a)\r\nEnter same passphrase again: (\u518d\u8f38\u5165\u4e00\u6b21\u79c1\u9470\u5bc6\u78bc\uff0c\u6216\u662f\u7559\u7a7a)\r\nYour identification has been saved in \/home\/alice\/.ssh\/id_ed25519_sk\r\nYour public key has been saved in \/home\/alice\/.ssh\/id_ed25519_sk.pub\r\nThe key fingerprint is:\r\n\r\nSHA256:K4C\/oYWhJ0QBCUQDgm5AXbPpmkMySq5nj84CrSX4Ys4 alice@myhost\r\nThe key&#039;s randomart image is:\r\n+&#x5B;ED25519-SK 256]-+\r\n|&amp;B. .o           |\r\n|= o.  +          |\r\n|o.   o           |\r\n|.o ..            |\r\n|o*o...  S        |\r\n|O.*+o.   .       |\r\n|=*o++ . .        |\r\n|*=++.o .         |\r\n|+E=.o            |\r\n+----&#x5B;SHA256]-----+\r\n<\/pre>\n<\/ol>\n<p>\u65bc\u662f\u6211\u5011\u5728\u5bb6\u76ee\u9304\u7684 <code>~\/.ssh\/<\/code> \u7522\u751f\u4e86\u4e00\u7d44\u516c\u79c1\u9470 <code>id_ed25519_sk<\/code> \u8207 <code>id_ed25519_sk.pub<\/code>\u3002<\/p>\n<p>\u63a5\u8457\uff0c\u5c07\u516c\u9470\u8907\u88fd\u5230\u9060\u7aef\u7684\u4f3a\u670d\u5668\u4e0a\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nssh-copy-id -i ~\/.ssh\/id_ed25519_sk.pub alice@myserver1\r\n<\/pre>\n<blockquote><p>\u8a3b\uff1a<b>alice<\/b> \u662f\u9060\u7aef\u7684\u4f7f\u7528\u8005\u540d\u7a31\uff0c<b>myserver1<\/b> \u662f\u9060\u7aef\u7684\u4e3b\u6a5f\u540d\u7a31(\u6216\u57df\u540d)\u3002\u8acb\u4ee3\u63db\u70ba\u60a8\u7684\u8a2d\u5b9a\u3002<\/p><\/blockquote>\n<h2>\u9060\u7aef\u8a2d\u5b9a<\/h2>\n<p>\u96d6\u7136\u6211\u5011\u5c07\u516c\u9470\u8907\u88fd\u5230\u9060\u7aef\u4f3a\u670d\u5668\u4e86\uff0c\u82e5\u6b64\u6642\u76f4\u63a5\u5f9e\u672c\u5730\u7aef\u767b\u5165\u9060\u7aef\uff0cOpenSSH \u9810\u8a2d\u53ea\u6703\u8981\u6c42\u4f7f\u7528\u8005\u89f8\u6478 FIDO2 key\uff0c\u800c\u4e0d\u6703\u8981\u6c42\u8f38\u5165 FIDO2 PIN\u3002\u70ba\u4e86\u8b93 OpenSSH \u80fd\u5920\u8981\u6c42 FIDO2 PIN\uff0c\u6211\u5011\u9700\u8981\u5728\u9060\u7aef\u4f3a\u670d\u5668\u505a\u984d\u5916\u8a2d\u5b9a\u3002<\/p>\n<p>\u6211\u5011\u5df2\u7d93\u5728\u9060\u7aef\u5bb6\u76ee\u9304\u7684 <code>~\/.ssh\/authorized_keys<\/code> \u5132\u5b58\u4e86\u4e00\u7b46\u516c\u9470\uff0c\u9577\u5f97\u50cf\u9019\u6a23\uff1a<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIilYYxbMZ5adtCH1ueFuIsbUqPM4B\/ytDDho0iKfX6VAAAABHNzaDo= alice@myhost<\/pre>\n<p>\u7de8\u8f2f <code>~\/.ssh\/authorized_keys<\/code>\uff0c\u5728\u9019\u652f\u516c\u9470\u8a2d\u5b9a\u7684\u6700\u524d\u9762\u63d2\u5165 <code>verify-required<\/code> \u5b57\u6a23\uff0c\u4e26\u8207\u6700\u524d\u9762\u7684 <code>sk-ssh-ed25519...<\/code> \u4ee5\u7a7a\u865f\u5206\u9694\u3002\u7de8\u8f2f\u5f8c\u7684\u8a2d\u5b9a\u6703\u50cf\u9019\u6a23\uff1a<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">verify-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIilYYxbMZ5adtCH1ueFuIsbUqPM4B\/ytDDho0iKfX6VAAAABHNzaDo= alice@myhost<\/pre>\n<p>\u81f3\u6b64\uff0c\u6211\u5011\u5b8c\u6210\u4e86\u8a2d\u5b9a\uff0c\u8b93\u9060\u7aef\u7684 OpenSSH server \u6703\u5728\u767b\u5165\u6642\u8981\u6c42 FIDO2 PIN \u505a\u9a57\u8b49\u4e86\u3002<\/p>\n<blockquote><p>\u8a3b\uff1a\u4ea6\u53ef\u5728\u9060\u7aef\u7684 OpenSSH server \u555f\u7528\u5168\u57df\u8a2d\u5b9a\u3002<\/p>\n<p>\u7de8\u8f2f <code>\/etc\/ssh\/sshd_config<\/code> \u4e26\u63d2\u5165\u4ee5\u4e0b\u8a2d\u5b9a\uff1a<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">\r\nPubkeyAuthOptions verify-required\r\n<\/pre>\n<p>\u5373\u53ef\u5c0d\u6240\u6709\u8ddf FIDO2 key \u914d\u5c0d\u7684\u516c\u9470\u9032\u884c FIDO2 PIN \u9a57\u8b49\u3002\u9019\u4e0d\u5f71\u97ff\u5176\u4ed6\u6c92\u6709\u8ddf\u5be6\u9ad4\u91d1\u9470\u914d\u5c0d\u7684\u91d1\u9470 (\u5373\u4e0d\u662f Authenticator-hosted \u7684\u91d1\u9470\u3002)\n<\/p><\/blockquote>\n<h2>\u5f9e\u672c\u5730\u7aef\u6e2c\u8a66 SSH + FIDO2 key \u767b\u5165\u9060\u7aef<\/h2>\n<p>\u56de\u5230\u672c\u5730\u7aef\uff0c\u6211\u5011\u7d42\u65bc\u53ef\u4ee5\u4f86\u5be6\u6e2c SSH + FIDO2 key \u767b\u5165\u9060\u7aef\u4e86\u3002\u6b65\u9a5f\u5982\u4e0b\uff1a<\/p>\n<ol>\n<li>\u5c07 FIDO2 key \u63d2\u5165\u96fb\u8166\u3002<\/li>\n<li>\u5728\u7d42\u7aef\u6a5f\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\u767b\u5165\u9060\u7aef\uff1a\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nssh -i ~\/.ssh\/id_ed25519_sk alice@myserver1\r\n<\/pre>\n<p>\u57f7\u884c\u904e\u7a0b\u5982\u4e0b\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~$ ssh -i ~\/.ssh\/id_ed25519_sk alice@myserver1\r\nEnter passphrase for key &#039;\/home\/alice\/.ssh\/id_ed25519_sk&#039;: (\u8f38\u5165 SSH \u79c1\u9470\u7684\u5bc6\u78bc\uff0c\u5982\u679c\u6709\u7684\u8a71)\r\nEnter PIN for ED25519-SK key \/home\/alice\/.ssh\/id_ed25519_sk: (\u8f38\u5165 FIDO2 PIN\uff0c\u5982 123456)\r\n(\u6b64\u6642 FIDO2 key \u5be6\u9ad4\u9375\u6703\u9583\u720d\uff0c\u89f8\u6478\u5b83\u3002)\r\nConfirm user presence for key ED25519-SK SHA256:K4C\/oYWhJ0QBCUQDgm5AXbPpmkMySq5nj84CrSX4Ys4\r\nUser presence confirmed\r\nWelcome to Ubuntu 22.04.2 LTS ...\r\nalice@myserver1:~$\r\n<\/pre>\n<\/li>\n<\/ol>\n<p>\u7d93\u7531\u4e0a\u8ff0\u904e\u7a0b\uff0c\u6211\u5011\u6210\u529f\u900f\u904e\u8f38\u5165 FIDO2 PIN \u4e4b\u5f8c\u767b\u5165\u9060\u7aef\u4f3a\u670d\u5668\u4e86\u3002<\/p>\n<h1>\u4f7f\u7528 Discoverable (resident) \u91d1\u9470\u7684 FIDO2 key \u8a2d\u5b9a\u65b9\u6cd5<\/h1>\n<p>\u9019\u7bc0\u5c07\u4ecb\u7d39\u5982\u4f55\u4f7f\u7528\u591a\u628a\u79d8\u9470\u8ddf\u4e00\u7d44\u516c\u9470 + FIDO2 key \u505a\u914d\u5c0d\uff0c\u4e26\u767b\u5165\u9060\u7aef\u4f3a\u670d\u5668\u3002<\/p>\n<h2>\u5728\u7b2c\u4e00\u53f0\u672c\u5730\u7aef\u505a\u8a2d\u5b9a<\/h2>\n<ol>\n<li>\u5c07 FIDO2 key \u63d2\u5165\u96fb\u8166\u3002<\/li>\n<li>\u5728\u7d42\u7aef\u6a5f\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\u7522\u751f\u8ddf FIDO2 key \u914d\u5c0d\u7684 SSH \u516c\u79c1\u9470 (\u4ee5 ed25519 \u6f14\u7b97\u6cd5\u79d8\u9470\u70ba\u4f8b)\uff1a\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nssh-keygen -t ed25519-sk -O resident -O application=ssh:mykey1 -O verify-required\r\n<\/pre>\n<blockquote><p>\u8a3b\uff1a<b>mykey1<\/b> \u53ef\u4ee5\u81ea\u53d6\u70ba\u4efb\u4f55\u540d\u7a31\uff0c\u65b9\u4fbf\u81ea\u5df1\u8fa8\u8b58\u9470\u5319\u5373\u53ef\u3002<\/p><\/blockquote>\n<p>\u57f7\u884c\u904e\u7a0b\u5982\u4e0b\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~$ ssh-keygen -t ed25519-sk -O resident -O application=ssh:mykey1 -O verify-required\r\nGenerating public\/private ed25519-sk key pair.\r\nYou may need to touch your authenticator to authorize key generation.\r\nEnter PIN for authenticator: (\u8f38\u5165 FIDO2 PIN\uff0c\u5982 123456)\r\n(\u6b64\u6642 FIDO2 key \u5be6\u9ad4\u9375\u6703\u9583\u720d\uff0c\u89f8\u6478\u5b83\u3002)\r\nEnter file in which to save the key (\/home\/alice\/.ssh\/id_ed25519_sk):\r\nEnter passphrase (empty for no passphrase): (\u70ba\u79c1\u9470\u8a2d\u5b9a\u5bc6\u78bc\uff0c\u53ef\u7559\u7a7a)\r\nEnter same passphrase again: (\u518d\u8f38\u5165\u4e00\u6b21\u79c1\u9470\u5bc6\u78bc\uff0c\u6216\u662f\u7559\u7a7a)\r\nYour identification has been saved in \/home\/alice\/.ssh\/id_ed25519_sk\r\nYour public key has been saved in \/home\/alice\/.ssh\/id_ed25519_sk.pub\r\nThe key fingerprint is:\r\nSHA256:+6GG\/KmF\/C7welqRP3V11yn5G9tLAkcEbzwoRGoRhi8 alice@myhost1\r\nThe key&#039;s randomart image is:\r\n+&#x5B;ED25519-SK 256]-+\r\n|      .+oo ...   |\r\n|     .. +   = . o|\r\n|      .o . . O..+|\r\n|     E.o  . o.+..|\r\n|      + S .... o |\r\n|    .. + o .o   =|\r\n|     ++.= .  . +.|\r\n|     .*o.= .  o .|\r\n|    o+.** .    . |\r\n+----&#x5B;SHA256]-----+\r\n<\/pre>\n<\/li>\n<\/ol>\n<p>\u65bc\u662f\u6211\u5011\u5728\u5bb6\u76ee\u9304\u7684 <code>~\/.ssh\/<\/code> \u7522\u751f\u4e86\u4e00\u7d44\u516c\u79c1\u9470 <code>id_ed25519_sk<\/code> \u8207 <code>id_ed25519_sk.pub<\/code>\u3002<\/p>\n<p>\u63a5\u8457\uff0c\u5c07\u516c\u9470\u8907\u88fd\u5230\u9060\u7aef\u7684\u4f3a\u670d\u5668\u4e0a\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nssh-copy-id -i ~\/.ssh\/id_ed25519_sk.pub alice@myserver1\r\n<\/pre>\n<blockquote><p>\u8a3b\uff1a<b>alice<\/b> \u662f\u9060\u7aef\u7684\u4f7f\u7528\u8005\u540d\u7a31\uff0c<b>myserver1<\/b> \u662f\u9060\u7aef\u7684\u4e3b\u6a5f\u540d\u7a31(\u6216\u57df\u540d)\u3002\u8acb\u4ee3\u63db\u70ba\u60a8\u7684\u8a2d\u5b9a\u3002<\/p><\/blockquote>\n<h2>\u9060\u7aef\u8a2d\u5b9a<\/h2>\n<p>\u70ba\u4e86\u8b93 OpenSSH \u80fd\u5920\u8981\u6c42 FIDO2 PIN\uff0c\u6211\u5011\u9700\u8981\u5728\u9060\u7aef\u4f3a\u670d\u5668\u505a\u984d\u5916\u8a2d\u5b9a\u3002<\/p>\n<p>\u6211\u5011\u5df2\u7d93\u5728\u9060\u7aef\u5bb6\u76ee\u9304\u7684 <code>~\/.ssh\/authorized_keys<\/code> \u5132\u5b58\u4e86\u4e00\u7b46\u516c\u9470\uff0c\u9577\u5f97\u50cf\u9019\u6a23\uff1a<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBDe\/oKY7ph1d7immr2PgHKW72NfUB11r0P\/OnkamNaoAAAACnNzaDpteWtleTE=  alice@myhost1<\/pre>\n<p>\u7de8\u8f2f <code>~\/.ssh\/authorized_keys<\/code>\uff0c\u5728\u9019\u652f\u516c\u9470\u8a2d\u5b9a\u7684\u6700\u524d\u9762\u63d2\u5165 <code>verify-required<\/code> \u5b57\u6a23\uff0c\u4e26\u8207\u6700\u524d\u9762\u7684 <code>sk-ssh-ed25519...<\/code> \u4ee5\u7a7a\u865f\u5206\u9694\u3002\u7de8\u8f2f\u5f8c\u7684\u8a2d\u5b9a\u6703\u50cf\u9019\u6a23\uff1a<\/p>\n<pre class=\"brush: plain; title: ; notranslate\" title=\"\">verify-required sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIBDe\/oKY7ph1d7immr2PgHKW72NfUB11r0P\/OnkamNaoAAAACnNzaDpteWtleTE= alice@myhost1<\/pre>\n<p>\u81f3\u6b64\uff0c\u6211\u5011\u5b8c\u6210\u4e86\u8a2d\u5b9a\uff0c\u8b93\u9060\u7aef\u7684 OpenSSH server \u6703\u5728\u767b\u5165\u6642\u8981\u6c42 FIDO2 PIN \u505a\u9a57\u8b49\u4e86\u3002<\/p>\n<h2>\u5f9e\u7b2c\u4e00\u53f0\u672c\u5730\u7aef\u767b\u5165\u9060\u7aef<\/h2>\n<p>\u56de\u5230<b>\u7b2c\u4e00\u53f0<\/b>\u672c\u5730\u7aef\uff0c\u6211\u5011\u53ef\u4ee5\u4f86\u5be6\u6e2c SSH + FIDO2 key \u767b\u5165\u9060\u7aef\u4e86\u3002\u6b65\u9a5f\u5982\u4e0b\uff1a<\/p>\n<ol>\n<li>\u5c07 FIDO2 key \u63d2\u5165\u96fb\u8166\u3002<\/li>\n<li>\u5728\u7d42\u7aef\u6a5f\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\u767b\u5165\u9060\u7aef\uff1a\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nssh -i ~\/.ssh\/id_ed25519_sk alice@myserver1\r\n<\/pre>\n<p>\u57f7\u884c\u904e\u7a0b\u5982\u4e0b\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n$ ssh -i ~\/.ssh\/id_ed25519_sk alice@myserver1\r\nEnter passphrase for key &#039;\/home\/alice\/.ssh\/id_ed25519_sk&#039;: (\u8f38\u5165 SSH \u79c1\u9470\u7684\u5bc6\u78bc\uff0c\u5982\u679c\u6709\u7684\u8a71)\r\nEnter PIN for ED25519-SK key \/home\/alice\/.ssh\/id_ed25519_sk: (\u8f38\u5165 FIDO2 PIN\uff0c\u5982 123456)\r\n(\u6b64\u6642 FIDO2 key \u5be6\u9ad4\u9375\u6703\u9583\u720d\uff0c\u89f8\u6478\u5b83\u3002)\r\nConfirm user presence for key ED25519-SK SHA256:+6GG\/KmF\/C7welqRP3V11yn5G9tLAkcEbzwoRGoRhi8\r\nUser presence confirmed\r\nWelcome to Ubuntu 22.04.2 LTS ...\r\nalice@myserver1:~$\r\n<\/pre>\n<\/li>\n<\/ol>\n<p>\u65bc\u662f\uff0c\u6211\u5011\u78ba\u8a8d\u4e86\u5f9e\u7b2c\u4e00\u53f0\u672c\u5730\u7aef SSH \u80fd\u5920\u5728\u8f38\u5165 FIDO2 PIN \u4e4b\u5f8c\u767b\u5165\u9060\u7aef\u4f3a\u670d\u5668\u4e86\u3002<\/p>\n<h2>\u5728\u7b2c\u4e8c\u53f0(\u6216\u66f4\u591a\u53f0)\u7684\u672c\u5730\u7aef\u7522\u751f\u516c\u79c1\u9470\u3001\u4e26\u767b\u5165\u9060\u7aef<\/h2>\n<p>\u524d\u9762\u5169\u7bc0\u4ecb\u7d39\u4e86\u5982\u4f55\u5728\u6700\u4e00\u958b\u59cb\u7522\u751f\u7b2c\u4e00\u628a\u8ddf FIDO2 key \u914d\u5c0d\u597d\u7684 SSH \u516c\u79c1\u9470\u5319\uff0c\u6b64\u8655\u6703\u7e7c\u7e8c\u4ecb\u7d39\u5982\u4f55\u5728\u7b2c\u4e8c\u53f0(\u4ee5\u53ca\u7b2c\u4e09\u53f0\u3001\u7b2c\u56db\u53f0\u3001\u2026)\u4ee5\u4e0a\u7684\u672c\u5730\u7aef\u7522\u751f\u5404\u81ea\u7684\u79c1\u9470\uff0c\u4e26\u4ee5\u6b64\u767b\u5165\u540c\u4e00\u53f0\u9060\u7aef\u4f3a\u670d\u5668\u3002<\/p>\n<ol>\n<li>\u5c07 FIDO2 key \u63d2\u5165\u96fb\u8166\u3002<\/li>\n<li>\u5728\u7d42\u7aef\u6a5f\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\uff0c\u5f9e FIDO2 key \u4e0b\u8f09 resident key \u4e26\u7522\u751f\u5c0d\u61c9\u7684 SSH \u516c\u79c1\u9470 (\u4ee5 ed25519 \u6f14\u7b97\u6cd5\u79d8\u9470\u70ba\u4f8b)\uff1a\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nssh-keygen -t ed25519-sk -K\r\n<\/pre>\n<p>\u57f7\u884c\u904e\u7a0b\u5982\u4e0b\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~$ ssh-keygen -t ed25519-sk -K\r\nEnter PIN for authenticator: (\u8f38\u5165 FIDO2 PIN\uff0c\u5982 123456)\r\n(\u6b64\u6642 FIDO2 key \u5be6\u9ad4\u9375\u6703\u9583\u720d\uff0c\u89f8\u6478\u5b83\u3002)\r\nYou may need to touch your authenticator to authorize key download.\r\nEnter passphrase (empty for no passphrase): (\u70ba\u79c1\u9470\u8a2d\u5b9a\u5bc6\u78bc\uff0c\u53ef\u7559\u7a7a)\r\nEnter same passphrase again: (\u518d\u8f38\u5165\u4e00\u6b21\u79c1\u9470\u5bc6\u78bc\uff0c\u6216\u662f\u7559\u7a7a)\r\nSaved ED25519-SK key ssh:mykey1 to id_ed25519_sk_rk_mykey1\r\n<\/pre>\n<\/li>\n<\/ol>\n<p>\u65bc\u662f\u6211\u5011\u5728<b>\u5de5\u4f5c\u76ee\u9304<\/b>\u7522\u751f\u4e86\u4e00\u7d44\u516c\u79c1\u9470 <code>id_ed25519_sk_rk_mykey1<\/code> \u8207 <code>id_ed25519_sk_rk_mykey1.pub<\/code>\u3002<b>\u4e0d\u9700\u8981<\/b>\u518d\u5c07\u6b64\u8655\u7684\u516c\u9470\u4ee5 <code>ssh-copy-id<\/code> \u4e0a\u50b3\u5230\u9060\u7aef\u3002<\/p>\n<blockquote><p>\n\u8a3b\uff1a\u9019\u88e1\u7522\u751f\u7684\u516c\u79c1\u9470<b>\u4e0d\u6703<\/b>\u81ea\u52d5\u5b58\u5230\u5bb6\u76ee\u9304\u7684 <code>~\/.ssh\/<\/code>\u3002\u5982\u679c\u9019\u7d44\u516c\u79c1\u9470\u662f\u9019\u53f0\u672c\u5730\u7aef\u96fb\u8166\u4e0a\u552f\u4e00\u7684\u4e00\u7d44\u79d8\u9470\uff0c\u53ef\u4ee5\u8003\u616e\u5c07\u5b83\u5011\u66f4\u540d\u70ba <code>id_ed25519_sk<\/code> &#038; <code>id_ed25519_sk.pub<\/code> \u4e26\u79fb\u52d5\u5230 <code>~\/.ssh\/<\/code> \u76ee\u9304\u4e0b\u3002\n<\/p><\/blockquote>\n<p>\u6709\u4e86\u7b2c\u4e8c\u53f0(\u6216\u66f4\u591a\u53f0)\u672c\u5730\u7aef\u7684\u65b0\u79c1\u9470\uff0c\u6211\u5011\u53ef\u4ee5\u76f4\u63a5\u62ff\u5b83\u4f86\u767b\u5165\u9060\u7aef\u4e86\u3002\u6b65\u9a5f\u5982\u4e0b\uff1a<\/p>\n<ol>\n<li>\u4e00\u6a23\uff0c\u5c07 FIDO2 key \u63d2\u5165\u96fb\u8166\u3002<\/li>\n<li>\u5728\u7d42\u7aef\u6a5f\u4f7f\u7528\u4ee5\u4e0b\u6307\u4ee4\u767b\u5165\u9060\u7aef\uff1a\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nssh -i .\/id_ed25519_sk_rk_mykey1 alice@myserver1\r\n<\/pre>\n<p>\u57f7\u884c\u904e\u7a0b\u5982\u4e0b\uff1a<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\n~$ ssh -i .\/id_ed25519_sk_rk_mykey1 alice@myserver1\r\nEnter passphrase for key &#039;.\/id_ed25519_sk_rk_mykey1&#039;: (\u8f38\u5165 SSH \u79c1\u9470\u7684\u5bc6\u78bc\uff0c\u5982\u679c\u6709\u7684\u8a71)\r\nEnter PIN for ED25519-SK key .\/id_ed25519_sk_rk_mykey1: (\u8f38\u5165 FIDO2 PIN\uff0c\u5982 123456)\r\n(\u6b64\u6642 FIDO2 key \u5be6\u9ad4\u9375\u6703\u9583\u720d\uff0c\u89f8\u6478\u5b83\u3002)\r\nConfirm user presence for key ED25519-SK SHA256:+6GG\/KmF\/C7welqRP3V11yn5G9tLAkcEbzwoRGoRhi8\r\nUser presence confirmed\r\nWelcome to Ubuntu 22.04.2 LTS ...\r\nalice@myserver1:~$\r\n<\/pre>\n<\/li>\n<\/ol>\n<p>\u6700\u5f8c\uff0c\u6211\u5011\u78ba\u8a8d\u4e86\u5f9e\u7b2c\u4e8c\u53f0(\u6216\u66f4\u591a\u53f0)\u672c\u5730\u7aef\u80fd\u5920\u4f7f\u7528\u4e0d\u540c SSH \u79c1\u9470\uff0c\u767b\u5165\u300c\u5132\u5b58\u4e86\u5f9e\u7b2c\u4e00\u53f0\u672c\u5730\u7aef FIDO2 key \u914d\u5c0d\u7522\u751f\u7684\u516c\u9470\u300d\u7684\u9060\u7aef\u4f3a\u670d\u5668\u4e86\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u767c\u73fe\u6700\u8fd1\u5e7e\u5e74 OpenSSH \u958b\u59cb\u652f\u63f4 FIDO2 \u9a57\u8b49\uff0c\u65bc\u662f\u8cb7\u4e86\u4e00\u652f Security Key NFC by [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[60,56],"class_list":["post-1053","post","type-post","status-publish","format-standard","hentry","category-1","tag-security","tag-ubuntu"],"_links":{"self":[{"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/posts\/1053","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/comments?post=1053"}],"version-history":[{"count":14,"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/posts\/1053\/revisions"}],"predecessor-version":[{"id":1077,"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/posts\/1053\/revisions\/1077"}],"wp:attachment":[{"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/media?parent=1053"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/categories?post=1053"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.alextwl.idv.tw\/memo\/wp-json\/wp\/v2\/tags?post=1053"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}