See also smartcard API #1255.
Initial support added in r18801.
To use it:
It will print the public key and the key handle, both need to be preserved. The public key is stored on the server, the key handle is used on the client to tell libu2f which key to use for authentication.
xpra start --start-child="xterm" --bind-tcp=0.0.0.0:10000 -d auth \ --tcp-auth=u2f,public_key=041438f9c6cb2b6dec3a86e3b9eb7afe77112c817a371a9b0b74988619cf5f5b06b8211a4082818940de564aca8ac7dfecf34d23187b42340a261891c637cba794
XPRA_U2F_KEY_HANDLE=ebecec9d7665dec1e1c6261ede6ad7ba2556a07be705c4bff399b3acf37e00a6e82b26ebbb759418be22fa8bbbec6ac1c0007257d23550e63fdbf2853259499e \ xpra attach tcp://localhost:10000 -d auth
And activate the U2F key when requested (ie: when it blinks).
~/.xpra/u2f.hex?) and maybe support other key storage formats than hex?
There are other libraries we can use to interface with u2f, but they're not as nice, ie: python-u2flib-host.
example of all in one registration + authentication using pyu2f
alternative example using u2flib_host
Although we still support environment variables for specifying the key-handle and the public key, the preferred way is to store them as hexadecimal files in the application's user configuration directory (ie:
.xpra on posix).
Running the new browser/xpra/trunk/src/xpra/client/gtk_base/u2f_tool.py will create two files there:
u2f-keyhandle.hexcontaining the key handle used by the client for talking to the U2F device. This file may be renamed to
u2f-keyhandle-example.com.hexwhich will be used when connecting to
example.comserver only, ie:
xpra attach ssh://example.com/) - note: we only try the first valid key handle we find.
u2f-pub.hexwhich contains the public key matching the key handle. This file can be renamed (ie:
u2f-pub-myusername.hex) and the server will try to load every file matching
u2f-pub*.hex, accepting the authentication as soon as one public key validates the signature successfully)
Testing locally with an $18 FIDO U2F Security Key:
xpra start --start-child="xterm" --bind-tcp=0.0.0.0:10000 --tcp-auth=u2f -d auth
xpra attach tcp://127.0.0.1:10000 -d auth
To test using a remote client machine (ie: already tested with a linux, win32 and macos as both clients and servers):
u2f_toolon the new client system,
u2f-pub.hexto the user configuration directory on the server (ie:
~/.config/Yubico/u2f_keyslike pam-u2f does?
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1789