From 74498201413e230be334e3dd7c662684c554371f Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sat, 9 Apr 2022 19:47:49 +0200 Subject: [PATCH] fix --- content/posts/openssh-fido2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/openssh-fido2.md b/content/posts/openssh-fido2.md index 29e04c0..a71988c 100644 --- a/content/posts/openssh-fido2.md +++ b/content/posts/openssh-fido2.md @@ -17,7 +17,7 @@ All these attempts are particularly a thing on desktop platforms, because they d Another layer of defense would obviously be multi-factor authentification, or the fact that you're relying on a shared secret instead. We can use FIDO2 security keys for that. That way, even if your private key is compromised, the attacker needs physical access to your security key. TOTP is another common 2FA technique, but it's vulnerable to various attacks, and relies on the quality of the implementation on the server. -Fortunately for us, [OpenSSH 8.2](https://www.openssh.com/txt/release-8.2)] (released in February 2020) introduced native support for FIDO2/U2F. Most OpenSSH distributions should have the middleware set to use the `libfido2` library, including portable versions such as the one [for Win32](https://github.com/PowerShell/Win32-OpenSSH). Basically, `ssh-keygen -t ${key_type}-sk` will generate for us a token-backed key pair. The key types that are supported depend on your security key. Newer models support should support both ECDSA-P256 (`ecdsa-sk`) and Ed25519 (`ed25519-sk`). If the latter is available, you should prefer it. +Fortunately for us, [OpenSSH 8.2](https://www.openssh.com/txt/release-8.2) (released in February 2020) introduced native support for FIDO2/U2F. Most OpenSSH distributions should have the middleware set to use the `libfido2` library, including portable versions such as the one [for Win32](https://github.com/PowerShell/Win32-OpenSSH). Basically, `ssh-keygen -t ${key_type}-sk` will generate for us a token-backed key pair. The key types that are supported depend on your security key. Newer models support should support both ECDSA-P256 (`ecdsa-sk`) and Ed25519 (`ed25519-sk`). If the latter is available, you should prefer it. To get started: