openssh: Add FIDO2 hardware token support
Version 8.2[0] added support for two new key types: "ecdsa-sk" and "ed25519-sk". These two type enable the usage of hardware tokens that implement the FIDO (or FIDO2) standard, as an authentication method for SSH. Since we're already on version 8.4 all we need to do is to explicitly enable the support for hardware keys when compiling OpenSSH and add all the missing dependencies OpenSSH requires. OpenSSH depends on libfido2[1], to communicate with the FIDO devices over USB. In turn, libfido2 depends on libcbor, a C implementation of the CBOR protocol[2] and OpenSSL. [0]: https://lwn.net/Articles/812537/ [1]: https://github.com/Yubico/libfido2 [2]: tools.ietf.org/html/rfc7049 Signed-off-by: Linos Giannopoulos <linosgian00@gmail.com>
This commit is contained in:
parent
1ce5b10425
commit
855db864b0
2 changed files with 25 additions and 4 deletions
12
net/openssh/Config.in
Normal file
12
net/openssh/Config.in
Normal file
|
@ -0,0 +1,12 @@
|
|||
if PACKAGE_openssh-server
|
||||
|
||||
config OPENSSH_LIBFIDO2
|
||||
bool
|
||||
default y
|
||||
prompt "Include libfido2 support in openssh-server"
|
||||
help
|
||||
OpenSSH version 8.2 added two new ssh authentication methods,
|
||||
namely `ecdsa_sk` and `ed25519_sk`. These two methods make use
|
||||
of hardware keys that implement the FIDO and FIDO2 protocols.
|
||||
In order to use these two types, libfido2 is required.
|
||||
endif
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=openssh
|
||||
PKG_VERSION:=8.4p1
|
||||
PKG_RELEASE:=3
|
||||
PKG_RELEASE:=4
|
||||
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
|
||||
|
@ -21,6 +21,10 @@ PKG_LICENSE_FILES:=LICENCE
|
|||
PKG_CPE_ID:=cpe:/a:openssh:openssh
|
||||
|
||||
PKG_REMOVE_FILES:=
|
||||
PKG_CONFIG_DEPENDS := \
|
||||
CONFIG_OPENSSH_LIBFIDO2
|
||||
|
||||
PKG_BUILD_DEPENDS += OPENSSH_LIBFIDO2:libfido2
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
|
@ -82,11 +86,15 @@ endef
|
|||
|
||||
define Package/openssh-server
|
||||
$(call Package/openssh/Default)
|
||||
DEPENDS+= +openssh-keygen
|
||||
DEPENDS+= +openssh-keygen +OPENSSH_LIBFIDO2:libfido2
|
||||
TITLE+= server
|
||||
USERID:=sshd=22:sshd=22
|
||||
endef
|
||||
|
||||
define Package/openssh-server/config
|
||||
source "$(SOURCE)/Config.in"
|
||||
endef
|
||||
|
||||
define Package/openssh-server/description
|
||||
OpenSSH server.
|
||||
endef
|
||||
|
@ -164,8 +172,9 @@ CONFIGURE_ARGS += \
|
|||
--without-bsd-auth \
|
||||
--without-kerberos5 \
|
||||
--with-stackprotect \
|
||||
--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine
|
||||
|
||||
--with$(if $(CONFIG_OPENSSL_ENGINE),,out)-ssl-engine \
|
||||
--with$(if $(CONFIG_OPENSSH_LIBFIDO2),,out)-security-key-builtin
|
||||
|
||||
ifeq ($(BUILD_VARIANT),with-pam)
|
||||
CONFIGURE_ARGS += \
|
||||
--with-pam
|
||||
|
|
Loading…
Reference in a new issue