Please read official documentation from PfSense project here:
Notes: | |
0) WinCryptSSHAgent - https://github.com/buptczq/WinCryptSSHAgent | |
* Supports every Windows client interface needed for most applications (pageant/auth_sock/securecrt) | |
* This interface just selects "all" certificates that it beleives are applicable | |
* At auth time, pin will be requested from windows wincrypt api as needed | |
* Notifications when PIV certificates are being used (even with downstream ssh agent passthrough if enabled, nice!) | |
1) Putty Wincrypt - https://github.com/ufrisk/puttywincrypt | |
* Supports RSA 1024/2048 Keys generated by Yubikey manager | |
* Will support Yubikey with both USB and NFC interface (with appropriate NFC reader) |
#!/bin/sh - | |
# Copyright (c) 1996 Poul-Henning Kamp | |
# All rights reserved. | |
# | |
# Redistribution and use in source and binary forms, with or without | |
# modification, are permitted provided that the following conditions | |
# are met: | |
# 1. Redistributions of source code must retain the above copyright | |
# notice, this list of conditions and the following disclaimer. | |
# 2. Redistributions in binary form must reproduce the above copyright |
#!/bin/sh | |
# See ipdeny.com for listings of possible country codes | |
# Read the ipfw man page for details on ipfw rulesets (ipfw set) | |
# This is just an example shell script for downloading, and blocking country specific ip address ranges | |
# Please customize for actual needs as required. | |
# Command line error checking | |
[ -z $1 ] && printf "Error: Please enter valid country code from ipdeny.com\n Example: `basename $0` cn 10\nThis will block all China addresses on ruleset 10\n" && exit 1 |
# $FreeBSD: releng/12.0/share/skel/dot.cshrc 337497 2018-08-08 19:24:20Z asomers $ | |
# | |
# .cshrc - csh resource script, read at beginning of execution by each shell | |
# | |
# see also csh(1), environ(7). | |
# more examples available at /usr/share/examples/csh/ | |
# | |
alias h history 25 | |
alias j jobs -l |
--- prefixconf.c.orig 2017-02-28 19:06:15.000000000 +0000 | |
+++ prefixconf.c 2022-02-13 19:16:41.144605000 +0000 | |
@@ -201,20 +201,6 @@ | |
if (sp->prefix.vltime != 0 && spcreate) { | |
for (pif = TAILQ_FIRST(iac_pd->pifc_head); pif; | |
pif = TAILQ_NEXT(pif, link)) { | |
- /* | |
- * The requesting router MUST NOT assign any delegated | |
- * prefixes or subnets from the delegated prefix(es) to | |
- * the link through which it received the DHCP message |
How to configure FreeBSD and applicable applications to work with Yubikey for authentication. This serves as my work-in-progress documentation of the configuration knobs needed to make this work properly.
- FreeBSD ssh with piv smartcard slot on Yubikey (pkcs11 via
libykcs11.so
) - FreeBSD ssh with fido support on Yubikey
- FreeBSD Firefox/Chromium with fido + webauthn support on Yubikey
- FreeBSD local console and gdm authentication using pam on Yubikey
- FreeBSD official YubiKey tools
- FreeBSD 13.2 Testing (Aug 2023)
- FreeBSD stable/13 Testing (Aug 2023) with OpenSSH_9.3p2
This guide covers using both PIV smartcard and FIDO2 features of your Yubikey, SoloKey(v2), and Windows Hello for SSH authentication in a secure and portable manner. FIDO2 support works with YubiKey, SoloKey(v2), and Windows Hello(biometric:face, biometric:fingerprint, secure-element/pin) with OpenSSH as a relatively new feature which requires updated client and server versions. PIV support has been around with PKCS#11 for many years in the OpenSSH codebase, and is considered a more stable and ubiquitous solution when an applicable PKCS#11 library is available for your platform.
Example below assumes that you have a piv key already generated in a yubikey slot the way you want. If you need to generate a new one, read the excellent documentation here: https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html and https://support.yubico.com/hc/en-us/articles/360021606180-Using-YubiKey-PIV-with-Windows-native-SSH-client
- This explains basic con
This is my notes from configuring a functional FreeBSD 13/14 (started with 13.1-RELEASE and moved to stable/14 branch) on my Dell Precision 7550 Laptop with Dell Thunderbolt 3 Dock.
- Install from 14-Beta5 release memstick image worked great with UEFI (Secure Boot disabled), and boot config in BIOS/UEFI setup for AHCI access (NOT Intel Raid) to nvme drives.
- iwl Wi-Fi card from Intel, no issues as long as I don't try to change regulatory domain from defaults. WPA2 authentication worked as I expected, WPA3 is not there yet in the FreeBSD 802.11 stack.
iwlwifi0@pci0:0:20:3: class=0x028000 rev=0x00 hdr=0x00 vendor=0x8086 device=0x06f0 subvendor=0x8086 subdevice=0x4070
vendor = 'Intel Corporation'
device = 'Comet Lake PCH CNVi WiFi'
Yubikey 5 Win 10 20H2 x64 Pro PIV EFS Setup
PIV on Yubikey can be utilized for SSH authentication, Windows OS login authentication, NTFS Encrypted File System (EFS) support, Bitlocker and other use cases. The examples below are using self-signed certificates and keys generated on the Yubikey secure element, but can be customized for an enterprise environment with a root CA/intermediate CA and trusted certificate chains as needed. Note: While using a CA allows for easier scalable management, this also increases the required ring of trust, and thus can potentially decrease security if not managed properly.
Requires: Windows 10 Pro (20H2 used in the document, but will work on earlier versions of Pro), Yubikey 4 or 5 security token.
PIV References: NIST: https://csrc.nist.gov/publications/detail/sp/800-73/4/final Yubico PIV Setup: https://developers.yubico.com/PIV/Guides/Device_setup.html