Fido Ssh

FIDO2 support has been implemented in our Hardware Security SDK starting with version 4.0.0.

Add the SDK to Your Project

To get a username and password for our Maven repository, please contact us for a license.

Add this to your build.gradle:

Initialize the Hardware Security SDK

To use the SDK's functionality in your app, you need to initialize the SecurityKeyManager first.This is the central class of the SDK, which dispatches incoming NFC and USB connections.Perform this initialization in the onCreate method of your Application subclass.This ensures Security Keys are reliably dispatched by your app while in the foreground.

OpenSSH version 8.2 added support for authentication using FIDO/U2F hardware security keys. There are two new key type ecdsa-sk and ed25519-sk which can be used for this. Communicating with keys is done through a helper app named ssh-sk-helper (by default it is in /usr/lib/ssh). To make sure we don't have to enter our username and password every time we push to or pull from the Bitbucket repository, we should use SSH. ProxyLite SSH SSL - SSH & SSL/TLS VPN - Apps on Google Play General Information about Login, User Account and more. FIDO/U2F OpenSSH keys consist of two parts: a 'key handle' part stored in the private key file on disk, and a per-device private key that is unique to each FIDO/U2F token and that cannot be.

We start by creating a new class which extends android.app.Application as follows:

Then, register your MyCustomApplication in your AndroidManifest.xml:

FIDO2 Registration

Show our WebAuthnDialogFragment to register a Security Key:

Ssh Keygen Openssh

Implement OnMakeCredentialCallback and override onMakeCredentialResponse to receive callbacks from the WebauthnDialogFragment:

FIDO2 Authentication

Authentication is now done by creating a FidoAuthenticateRequest:

Implement OnGetAssertionCallback in your Activity and override onGetAssertionResponse:

Prevent Re-Creation of Activity with USB Security Keys

Besides the functionalities used by our SDK, some Security Keys register themselves as USB keyboards to be able to insert One Time Passwords (OTP) when touching the golden disc.Thus, when inserting a Security Key into the USB port, Android recognizes a new keyboard and re-creates the current activity.

To prevent this, add keyboard|keyboardHidden to the activity's configChanges in your AndroidManifest.xml:

Congratulations!

That's all! If you have any questions, don't hesitate to contact us:

• Ask us by email

Last updated on Feb 15, 2021

Feitian ePass NFC FIDO U2F Security Key can work as a Generic Identity Device Specification (GIDS) smart card. There are also many other manufacturers and card models to which these instructions can be applied, but the specific tools to initialize the card can be different.

In this how-to, we will prepare a USB/NFC hardware key for SSH authentication and register the device in WebADM. It is assumed you already have a working WebADM and Spankey servers, although you can also deploy the public key manually to a destination server.

Fido Ssh Login

For Yubikeys and other PIV devices, please refer to Smart Card -PIV

1. Enabling CCID Mode

Feitian ePass keys can work in three different modes:

• OATH HOTP (Event-based)

• CCID (chip card interface device)

All these modes can be used with OpenOTP, but in this guide, we focus on the CCID which is useful for SSH authentication.

By default, the Feitian keys ship only have U2F/FIDO mode enabled, thus the first step is to change the operating mode of the key. This is done with a Feitian tool (ePassFIDO-NFC OTP Tool 3.7), which can be downloaded from Feitian website and which works in Windows.

Connect the key to a computer with the Feitian tool, start the tool and select an operating mode which includes CCID. The key can work simultaneously on all three modes. If the new mode includes U2F, you can continue to use the key for FIDO authentication simultaneously with SSH key authentication.

After the CCID mode is enabled, the smart card function must be initialized using other Feitian software (GIDS Initialization Tool). This tool can also be downloaded from the Feitian website.

Start the tool in windows, set the desired PIN and Admin key and click Initialize. Please take care in selecting and storing the PIN and Admin key.

2. Generating SSH Keys

Once the key is initialized, we can generate SSH keypair and extract the public key. For this, we need to connect it to a computer with OpenSC (version 0.18 or later).

First, we verify that the key is connected and recognized correctly:

Next we can dump the contents of the key:

Please note the ID number of the PIN, as this is used in the next command as –auth-id parameter, when we generate the public-private keypair:

Once the key pair is generated, we can list the contents of the device and extract the public key.

With this information we can create an inventory file in .csv format with the right public key. The serial number can be decided by you, as it is only used for keeping track of the devices in WebADM inventory. You can for example user the number printed on the physical device:

Next, we can import this file into the WebADM inventory, assign it to a user and test authentication with ssh.These steps are described in Smart Card -PIV starting at 'We import the file. Under the import tab, we click on Import Inventory File:'

3. Using with a Contactless Reader

Show our WebAuthnDialogFragment to register a Security Key:

Ssh Keygen Openssh

Implement OnMakeCredentialCallback and override onMakeCredentialResponse to receive callbacks from the WebauthnDialogFragment:

FIDO2 Authentication

Authentication is now done by creating a FidoAuthenticateRequest:

Implement OnGetAssertionCallback in your Activity and override onGetAssertionResponse:

Prevent Re-Creation of Activity with USB Security Keys

Besides the functionalities used by our SDK, some Security Keys register themselves as USB keyboards to be able to insert One Time Passwords (OTP) when touching the golden disc.Thus, when inserting a Security Key into the USB port, Android recognizes a new keyboard and re-creates the current activity.

To prevent this, add keyboard|keyboardHidden to the activity's configChanges in your AndroidManifest.xml:

Congratulations!

That's all! If you have any questions, don't hesitate to contact us:

• Ask us by email

Last updated on Feb 15, 2021

Feitian ePass NFC FIDO U2F Security Key can work as a Generic Identity Device Specification (GIDS) smart card. There are also many other manufacturers and card models to which these instructions can be applied, but the specific tools to initialize the card can be different.

In this how-to, we will prepare a USB/NFC hardware key for SSH authentication and register the device in WebADM. It is assumed you already have a working WebADM and Spankey servers, although you can also deploy the public key manually to a destination server.

Fido Ssh Login

For Yubikeys and other PIV devices, please refer to Smart Card -PIV

1. Enabling CCID Mode

Feitian ePass keys can work in three different modes:

• OATH HOTP (Event-based)

• CCID (chip card interface device)

All these modes can be used with OpenOTP, but in this guide, we focus on the CCID which is useful for SSH authentication.

By default, the Feitian keys ship only have U2F/FIDO mode enabled, thus the first step is to change the operating mode of the key. This is done with a Feitian tool (ePassFIDO-NFC OTP Tool 3.7), which can be downloaded from Feitian website and which works in Windows.

Connect the key to a computer with the Feitian tool, start the tool and select an operating mode which includes CCID. The key can work simultaneously on all three modes. If the new mode includes U2F, you can continue to use the key for FIDO authentication simultaneously with SSH key authentication.

After the CCID mode is enabled, the smart card function must be initialized using other Feitian software (GIDS Initialization Tool). This tool can also be downloaded from the Feitian website.

Start the tool in windows, set the desired PIN and Admin key and click Initialize. Please take care in selecting and storing the PIN and Admin key.

2. Generating SSH Keys

Once the key is initialized, we can generate SSH keypair and extract the public key. For this, we need to connect it to a computer with OpenSC (version 0.18 or later).

First, we verify that the key is connected and recognized correctly:

Next we can dump the contents of the key:

Please note the ID number of the PIN, as this is used in the next command as –auth-id parameter, when we generate the public-private keypair:

Once the key pair is generated, we can list the contents of the device and extract the public key.

With this information we can create an inventory file in .csv format with the right public key. The serial number can be decided by you, as it is only used for keeping track of the devices in WebADM inventory. You can for example user the number printed on the physical device:

Next, we can import this file into the WebADM inventory, assign it to a user and test authentication with ssh.These steps are described in Smart Card -PIV starting at 'We import the file. Under the import tab, we click on Import Inventory File:'

3. Using with a Contactless Reader

The Feitian ePass key supports NFC communication. Thus, it is possible to use the GIDS smart card for authentication also with a contactless reader, resulting a very easy workflow:

Or in SSH authorized key format, which can also be directly copied to the authorized_keys file in the destination server:

If you want to use the smart card authentication without providing the -I flag in the command line, you can configure OpenSC library in ~/.ssh/config (or to /etc/ssh/ssh_config for all users). The correct path the library depends on your system.