{"id":22140884,"url":"https://github.com/stealth/u2f","last_synced_at":"2025-07-25T23:31:46.879Z","repository":{"id":25211534,"uuid":"28635568","full_name":"stealth/u2f","owner":"stealth","description":"U2F toolset","archived":false,"fork":false,"pushed_at":"2023-08-31T06:20:27.000Z","size":28,"stargazers_count":16,"open_issues_count":0,"forks_count":4,"subscribers_count":2,"default_branch":"master","last_synced_at":"2023-08-31T18:39:50.129Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stealth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-12-30T15:29:31.000Z","updated_at":"2023-08-31T06:20:32.000Z","dependencies_parsed_at":"2022-09-17T00:51:46.314Z","dependency_job_id":null,"html_url":"https://github.com/stealth/u2f","commit_stats":null,"previous_names":[],"tags_count":1,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fu2f","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fu2f/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fu2f/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stealth%2Fu2f/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stealth","download_url":"https://codeload.github.com/stealth/u2f/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227629068,"owners_count":17796054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-01T21:08:27.629Z","updated_at":"2024-12-01T21:08:28.403Z","avatar_url":"https://github.com/stealth.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"U2F utils\n=========\n\nThis u2f toolset contains small footprint u2f tools for enrolling\nand signing operations as well as a _PAM_ module for authenticating\nusers on local services where they can physically plug in the\nu2f token (i.e. _xdm_, _login_, _su_, ...).\n\nI wrote this u2f stack in order to get familar with u2f crypto, the\nshortcomings of u2f in general and weaknesses of other u2f stacks in\nparticular. Remote tools for u2f ssh etc. are underway.\n\nBuild\n-----\n\nYou need some of the `-dev` libs installed such as `libpam-dev` and `libudev-dev`.\n\nInside this dir,\n\n```\n$ git clone https://github.com/signal11/hidapi\n```\n\nto get the HIDAPI for accessing the security token. Then:\n\n```\n$ make\n$ make install\n```\n\nYou need to set up proper udev rules so the security token\nappears as `/dev/hidraw*` device, with the permissions you prefer\nor manually load the hid driver.\n\nInstall\n-------\n\nTo enroll a key you either use `u2f-enroll` or `pam-enroll`\nif you want to enroll a key suitable for _PAM_ authentication:\n\n```\nlocalhost: # pam-enroll stealth\nRemove token \u003cENTER\u003e\n\nInsert token of user 'stealth' and press token-button if available. Then \u003cENTER\u003e\n\nGot 631 bytes (sw=9000)\n\npubkey claims to be signed with cert (unchecked!):\n\nCertificate:\n Data:\n Version: 3 (0x2)\n Serial Number: 18327115537361868814 (0xfe56fe7ae1ff180e)\n Signature Algorithm: ecdsa-with-SHA256\n Issuer: CN=Plug-up FIDO Internal Attestation CA #1\n Validity\n Not Before: Oct 3 08:06:48 2014 GMT\n Not After : Oct 3 08:06:48 2034 GMT\n Subject: CN=Plug-up FIDO Production Attestation #fe56fe7ae1ff180e\n Subject Public Key Info:\n Public Key Algorithm: id-ecPublicKey\n Public-Key: (256 bit)\n pub: \n 04:75:ea:06:60:e2:90:63:74:84:37:00:00:af:aa:\n 32:25:3e:82:7b:d8:48:74:93:a6:86:a5:68:4c:65:\n ca:ce:09:8b:e8:bf:4b:87:25:3d:ef:96:b9:40:23:\n 01:06:fc:46:06:1f:7d:65:46:c1:6f:14:b2:5a:bf:\n 30:19:d8:f4:27\n ASN1 OID: prime256v1\n X509v3 extensions:\n X509v3 Subject Key Identifier: \n 76:2B:44:6F:F2:94:ED:32:2A:E4:29:09:4F:A9:84:D8:85:3E:35:80\n X509v3 Authority Key Identifier: \n keyid:CF:A7:44:F2:A1:62:50:F0:39:E9:92:85:E3:DA:50:E7:7D:B0:3A:A8\n\n Signature Algorithm: ecdsa-with-SHA256\n 30:44:02:20:6b:5f:ea:7f:dd:ce:65:84:3b:25:d6:a6:fc:8a:\n 4d:b7:3b:80:b1:e6:44:2e:ab:06:77:a9:3e:3d:b9:35:1f:22:\n 02:20:59:5b:82:32:79:21:c2:8f:ad:20:62:b9:2a:ea:07:c4:\n 37:a5:4d:46:a6:2c:8b:e6:ee:fb:69:5b:8a:b1:44:16\n\n```\n\nIf `/dev/hidraw0` is not the right device for you, pass the device path as the\nsecond argument of `pam-enroll`. You can also enroll keys via `u2f-enroll` and\nstore the keys manually.\n\n`pam-enroll` stores the key handle along with the public key in `/etc/u2f/keys`:\n\n```\nlocalhost:# cat /etc/u2f/keys/_stealth\nH=b67350 [...] 18273a626dc0743c\n-----BEGIN PUBLIC KEY-----\nMIIBSzCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAABAAAA\n[...]\n\n[...]\nSLI/caIDeYpo3lRlEdIWUX87A1cWC3YpCPJ89G1Hc9Fb9TtELXRiP3tHSfhgyVU=\n-----END PUBLIC KEY-----\n```\n\nYou can then add `pam_fido-u2f.so` to any _PAM_ service file (only\nlocal services) for example to the _xdm_ display manager:\n\n```\nlocalhost: # cat /etc/pam.d/xdm\n#%PAM-1.0\nauth include common-auth\nauth required pam_fido-u2f.so\naccount include common-account\npassword include common-password\nsession required pam_loginuid.so\nsession include common-session\n```\n\nNext time someone logs in via _xdm_ an u2f token is required, which\nmust contain the private key belonging to the public part\nstored in `/etc/u2f/keys`. Note that users which are not enrolled\nvia `pam-enroll` cannot longer login via _xdm_! __So be sure that\n_root_ is properly enrolled__.\n\nIf you have an USB keyboard or any other HID devices besides the u2f token\nalready attached, you may need to specify the device path in the _PAM_\nfile, as in:\n\n auth required pam_fido-u2f.so\tdevice=/dev/hidraw1\n\nfor example. As whatever name it would show up once plugged in.\n\n\nu2f limitations\n---------------\n\nPlease note that 2FA tokens/mechanisms are of limited use to protect\nshell access, since there are many ways to plant 2FA-less backdoors once\nshell access has been gained by an attacker in the first place.\nA Proper gateway and VPN setup is mandatory in order for 2FA to provide a\nreal security benefit. __Also note that the FIDO U2F standard chose a\nNIST ECC curve (NIST P-256 aka `NID_X9_62_prime256v1`) for the crypto\noperations.__ Yes, thats the same NIST that apparently already backdoored other\ncrypto protocols. So you can consider `NID_X9_62_prime256v1` to be weak,\nbut it might be good enough as a second factor for medium secured sites.\nNote again that USB tokens are subject to bad-USB style attacks. Some tokens\neven have an API beyond FIDO U2F that allows for easy storage of keystrokes\nand replay, once plugged in. So while it is in general a good idea to\nhave 2FA, you always add an additional attack vector to your site that\nhas not been there before.\n\n\n_Part of this code is (C) 2014 Google Inc. under a BSD-ish license.\nPlease refer to the source code for details._\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealth%2Fu2f","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstealth%2Fu2f","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstealth%2Fu2f/lists"}