Steve's
0%

整了个小东西: Canokey

发表于 更新于
本文字数: 3.2k 阅读时长 ≈ 3 分钟

FIDO2

网站二步验证

最常用的功能还是FIDO2了,像是Google/Github/Onedrive之类的网站都支持FIDO2,只需要在账户设置中添加Canokey即可。

FIDO2的好处是节约了打开Authnticator/Authy之类App手动复制的时间。

登录的时候只需要触摸Button即可。

SSH

自OpenSSH 8.2开始,添加了对FIDO2的支持。可以使用FIDO2来登录SSH,只需要添加相应的Public Key即可。

需要注意的是macOS自带的OpenSSH或许是因为版本较老的原因,需要使用brew安装新版才可以使用FIDO2。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ brew install openssh
$ /usr/local/Cellar/openssh/8.8p1_2/bin/ssh-keygen -t ecdsa-sk //需要手动调用下brew安装的ssh-keygen
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key generation.
Enter file in which to save the key (/Users/example/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/example/.ssh/id_ecdsa_sk
Your public key has been saved in /Users/example/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:/tpCT+qjX8gP4TOxwiNLjYe794gRKUUOPxcQhy9AjJw [email protected]
The key's randomart image is:
+-[ECDSA-SK 256]--+
|.++ ++o          |
|.Eo=.. .         |
|   .=..          |
|   ..+.          |
|  . o.  S        |
|   . * +.=.      |
|    * *.X+.      |
|   . B.++O.      |
|    =oo==++      |
+----[SHA256]-----+

生成之后把Public Key添加到服务器的authorized_keys文件中即可。

之后ssh就可以使用FIDO2了。

OPENPGP

GPG最常用的就是签名Git Commit了,将Private Key存在Canokey中。写入后就不能导出了。

Canokey支持的算法在这里,需要注意的是RSA4096只能导入不能在Canokey上生成,所以这里我将我的Key导入到Canokey中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
➜ gpg --edit-key 506E61294EEFA189051358B8F2AFB96ECBE9933F
gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/F2AFB96ECBE9933F
     created: 2019-06-28  expires: 2022-11-08  usage: SC
     trust: full          validity: unknown
ssb  rsa4096/E16D4C191B78D8D3
     created: 2019-06-28  expires: 2022-11-08  usage: E
[ unknown] (1). stevelee477 <[email protected]>

gpg> keytocard
#需要输入PIN和Admin PIN,在Canokey上默认是123456和12345678
Really move the primary key? (y/N) y
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

sec  rsa4096/F2AFB96ECBE9933F
     created: 2019-06-28  expires: 2022-11-08  usage: SC
     trust: full          validity: unknown
ssb  rsa4096/E16D4C191B78D8D3
     created: 2019-06-28  expires: 2022-11-08  usage: E
[ unknown] (1). stevelee477 <[email protected]>

gpg> key 1

sec  rsa4096/F2AFB96ECBE9933F
     created: 2019-06-28  expires: 2022-11-08  usage: SC
     trust: full          validity: unknown
ssb* rsa4096/E16D4C191B78D8D3
     created: 2019-06-28  expires: 2022-11-08  usage: E
[ unknown] (1). stevelee477 <[email protected]>

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

sec  rsa4096/F2AFB96ECBE9933F
     created: 2019-06-28  expires: 2022-11-08  usage: SC
     trust: full          validity: unknown
ssb* rsa4096/E16D4C191B78D8D3
     created: 2019-06-28  expires: 2022-11-08  usage: E
[ unknown] (1). stevelee477 <[email protected]>

gpg> save

之后git commit的时候就可以愉快的使用Canokey来签名了

TOTP

Canokey可以存一些TOTP的Secret Key:在iOS上下载Yubikey Authenticator,使用NFC识别然后就可以管理TOTP了。同时在Web Console中可以查看到TOTP。

TOTP

需要注意的是Canokey的NFC天线相比Yubikey还是有一定差距,在移动设备上使用NFC可能需要一些技巧

在macOS上可以使用Yubikey-Authenticator。

其他

Canokey还支持PIV,可以在macOS上实现登录验证,但是启用了SmartCard后就不能使用密码了,我感觉不太靠谱。

Canokey我入手的价格是169,相比Yubikey 5NFC的$45便宜了不少,同时实现了Yubikey的大部分功能。完成度也很高。

更多链接

Canokey官网