openssh: Add FIDO2 hardware token support
authorLinos Giannopoulos <linosgian00@gmail.com>
Wed, 6 Jan 2021 21:19:48 +0000 (23:19 +0200)
committerLinos Giannopoulos <linosgian00@gmail.com>
Wed, 6 Jan 2021 22:53:05 +0000 (00:53 +0200)
Version 8.2[0] added support for two new key types: "ecdsa-sk" and
"ed25519-sk". These two type enable the usage of hardware tokens that
implement the FIDO (or FIDO2) standard, as an authentication method for
SSH.

Since we're already on version 8.4 all we need to do is to explicitly enable
the support for hardware keys when compiling OpenSSH and add all the
missing dependencies OpenSSH requires.

OpenSSH depends on libfido2[1], to communicate with the FIDO devices
over USB. In turn, libfido2 depends on libcbor, a C implementation of
the CBOR protocol[2] and OpenSSL.

[0]: https://lwn.net/Articles/812537/
[1]: https://github.com/Yubico/libfido2
[2]: tools.ietf.org/html/rfc7049

Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>
net/openssh/Config.in [new file with mode: 0644]
net/openssh/Makefile

diff --git a/net/openssh/Config.in b/net/openssh/Config.in
new file mode 100644 (file)
index 0000000..3690ced
--- /dev/null
@@ -0,0 +1,12 @@
+if PACKAGE_openssh-server
+
+config OPENSSH_LIBFIDO2
+       bool
+       default y
+       prompt "Include libfido2 support in openssh-server"
+       help
+               OpenSSH version 8.2 added two new ssh authentication methods,
+               namely `ecdsa_sk` and `ed25519_sk`. These two methods make use
+               of hardware keys that implement the FIDO and FIDO2 protocols.
+               In order to use these two types, libfido2 is required.
+endif
index 1782b02f667cb1db662148e19e0a7f831ccbbc5a..a17f6ff0c3e388a152345a21b254b9dd5fe44f9a 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
 PKG_VERSION:=8.4p1
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@@ -21,6 +21,10 @@ PKG_LICENSE_FILES:=LICENCE
 PKG_CPE_ID:=cpe:/a:openssh:openssh
 
 PKG_REMOVE_FILES:=
+PKG_CONFIG_DEPENDS := \
+       CONFIG_OPENSSH_LIBFIDO2
+
+PKG_BUILD_DEPENDS += OPENSSH_LIBFIDO2:libfido2
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -82,11 +86,15 @@ endef
 
 define Package/openssh-server
        $(call Package/openssh/Default)
-       DEPENDS+= +openssh-keygen
+       DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2
        TITLE+= server
        USERID:=sshd=22:sshd=22
 endef
 
+define Package/openssh-server/config
+       source "$(SOURCE)/Config.in"
+endef
+
 define Package/openssh-server/description
 OpenSSH server.
 endef
@@ -164,8 +172,9 @@ CONFIGURE_ARGS += \
        --without-bsd-auth \
        --without-kerberos5 \
        --with-stackprotect \
-       --with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine
-
+       --with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \
+       --with$(if $(CONFIG_OPENSSH_LIBFIDO2),,out)-security-key-builtin
+       
 ifeq ($(BUILD_VARIANT),with-pam)
 CONFIGURE_ARGS += \
        --with-pam