| FIDO | ||
|---|---|---|
 |
Chapter 6. Authentication |  |
| FIDO | ||
|---|---|---|
| |
Chapter 6. Authentication | |
FIDO stands for Fast IDentity Online and allows password less login (or 2 way authentication) and is therefore less annoying and more safe. However first it must exchange keys between device and server. It is common to combine it with a button (or touch sensor) to be pressed, this way brutal force attacks are prevented.
lsusb | grep -i FIDO should find the device
As udevadm monitor shows that the FIDO usb device from https://www.token2.comhttps://www.token2.com/site/page/integration-guides creates /dev/hidraw and <n>/dev/usb/hiddev <0>
ls -l /dev/hidraw* and ls -l /dev/usb/hiddev* might show user and group as root so the /dev files can not be accessed by regular users. To change this a udev rule is required.
lsusb -v -s <bus>:<device> shows idVendor and idProduct required for the udev rule.
Install libfido2 to get the udev rules /usr/lib/udev/rules.d/70-libfido2-u2f.rules that cover most FIDO devices.
If not: udev rule for OpenRC
ACTION!="add|change", GOTO="u2f_end"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0858", GROUP="plugdev", MODE="0660"
LABEL="u2f_end"
If not: udev rule for systemd or OpenRC with for Gentoo Linux emerge elogind and for OpenRC rc-update add elogind boot
ACTION!="add|change", GOTO="u2f_end"
#KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0858", TAG+="uaccess"
LABEL="u2f_end"
/dev/usb/hiddev* is a legacy file used for backward compatibility and is not affected by the shown udev rules. The rule would be:
SUBSYSTEM=="usb", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0858", GROUP="plugdev", MODE="0660"
udevadm control --reload-rules activates the new udev rule. Then plug out and plug in the FIDO device and verify it the group ownership are now plugdev instead of root ls -l /dev/hidraw* /dev/usb/hiddev*
libfido2 supplied by the manufacturer Yubico adds also tools.
/usr/bin/fido2-token
fido2-token -L list the fido devices,
fido2-token -I /dev/hidraw<n> shows the details about the key.
There are different key algorithm as es256
fido2-token -I -c /dev/hidraw<n>
shows how many resident keys are used and available
Pins are often required and can be activated and set with fido2-token -S /dev/hidraw<n>
Pins can be modified with fido2-token -C /dev/hidraw<n>
Watch out about pin retries: 8, the number counts down when wrong pins are inserted, a factory reset might be required to reuse the device once the pin got lost.
fido2-token -L -r /dev/hidraw<n>
shows relying parties rp_id
fido2-token -L -k webauthn.io /dev/hidraw<n> if webauthn.io is a rp_id then its its resident credentials are shown
fido2-token -D -i <resident credential> /dev/hidraw<n> to delete a key
To factory reset the device fido2-token -R /dev/hidraw<n>
Other commands
/usr/bin/fido2-cred
/usr/bin/fido2-assert
The manufacturer https://www.token2.ch/ supplies also tools as fido2-manage.sh script that used a libfido2 fork that supports sending the PIN via command line parameter.
fido2-manage.sh -help to see what it can do
fido2-manage.sh -delete -device <n> -credential <resident credential a shown by fido2-token> to delete a key
FIDO Linux PAM Login can be configured as alternative to the password login.
In worst case if something goes wrong with the pam configuration no login will be possible to the computer. Therefore prepare and test an alternative boot option (DVD or USB-Stick) before continue.
Install sys-auth/pam_u2f This gets also /usr/bin/pamu2fcfg
The pam module used supports just U2F and not FIDO2. This is why there are no resident keys stored in the device. Just a private key is stored in the device and the corresponding public key is in the ~/.config/FIDO/u2f_keys file. In the future a pam-fido2 module might appear.
As regular user (or as root if root wants to login via FIDO) do:
groups to verify if the regular user belongs to the plugdev group. If not add it as root to this group: usermod -a -G plugdev <username>
create a directory getting the keys mkdir -p ~/.config/FIDO
pamu2fcfg > ~/.config/FIDO/u2f_keys creates keys for the host and the FIDO device or
pamu2fcfg >> ~/.config/FIDO/u2f_keys to add additional keys or
pamu2fcfg -o pam://<hostname> -i pam://<hostname> > ~/.config/FIDO/u2f_keys for older pamu2fcfg versions
this gives you some seconds to plug in the key (if not already done) and press its button. If successful keys are created and put in the file ~/.config/FIDO/u2f_keys and the device.
As root edit /etc/pam.d/system-auth and take care where to place the pam_u2f.so line.
auth required pam_env.so
auth sufficient pam_u2f.so authfile=/home/<username>/.config/FIDO/u2f_keys cue
auth requisite pam_faillock.so preauth
cue adds the option to notify that the button on the FIDO device needs to be pressed.
A test could be lock the screen using a screen saver.
WebAuthn (Chrome/Firefox) and obviously web servers supporting it. In the security settings, "Add Security Key" or "Passwordless Login" has to be selected and then the steps followed.
To test go to https://webauthn.io/ register the key. Or https://www.token2.com/tools/fido2-demo
After that authenticate. It might be unplugged and replugged to work.
Certain sites work just if the FIDO device got a PIN,
| |
|
|
| Passkeys |
|
Chapter 7. Filesystem |
