@here Ciao a tutti! Se avete una chiavetta FIDO, potete securizzare il vostro ssh creando una coppia di chiavi apposita come segue. Questo permette di accedere con un 2FA al server git anche senza particolari configurazioni lato server, che potrebbe però rifiutare chiavi non -sk.
- Plug your FIDO key
- create the ssh keypair based on a
skspec (e.g., ed25519-sk or ecdsa-sk)
# Try with ed25519-sk first...
$ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format
# If your secure-key does not support ed25519, use ecdsa.
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
$ cat ~/.ssh/id_ecdsa_sk.pub # <- Note the .pub extension! -
configure git.par-tec.it to use your new key
-
configure your PC to use the FIDO-protected keypair when accessing git.par-tec.it.
$ cat ~/.ssh/config
Host git.par-tec.it
IdentityFile /home/rpolli/.ssh/id_ecdsa_sk```
4. test the connection: you'll be asked to e.g. touch your FIDO key
```bash
$ ssh -T git@git.par-tec.it
Confirm user presence for key ECDSA-SK SHA256:5gcSbbB2HNDrRuoAJ9Q26XrEAyPCuu6CxZfczNThRjk
User presence confirmed
Hi ioggstream! You've successfully authenticated, but GitHub does not provide shell access.```
5. finally, ensure that without the key this does not work
```bash
$ ssh -T git@git.par-tec.it
Confirm user presence for key ECDSA-SK SHA256:5gcSbbB2HNDrRuoAJ9Q26XrEAyPCuu6CxZfczNThRjk
sign_and_send_pubkey: signing failed for ECDSA-SK "/home/rpolli/.ssh/id_ecdsa_sk": device not found
git@git.par-tec.it: Permission denied (publickey).```