Please let me know, what is the difference between current Nitrokey FIDO2, SoloKey?
If trying to do it yourself then it would require an STM controller which costs about $20 on cheap stores like AliExpress?
When are they going to support OpenSSH command:
ssh-keygen -t ecdsa-sk
?
Recently I tried that “nice and shiny” Feitian K9B FIDO2, and it does NOT work with OpenSSH.
It reports a protocol error after button on the token is touched.
I tried two such FIDO2 token without any success
I guess GNUK2 is a different thing? It is similar to NitroKey Start?
It can be done yourself using a very cheap hardware like STLinks for $5 per a piece?
Our complete hardware design files, including Nitrokey FIDO2, are on Github.
There are a couple of differences, which could be seen by comparing the codebases. We use slightly different hardware, and firmware. We have audited it as well, and supplied patches (downgrade protection, PIN hashing etc.). We plan to add some additional features as well, like Nitrokey Webcrypt. With time the differences list will be longer.
OpenSSH 8.2 is working already with Nitrokey FIDO2. It’s support requires implementing the latest FIDO2 specification, which was out of draft just couple of months ago. Devices with older firmware does not support the new commands needed.
What is GNUK2?
Yes, GNUK can be run on a couple of platforms, specifically the cheap dongles you mention.
The latest one is 1.2.15, hence my confusion. Do you mean some other product or fork?
Anyway regarding differences for Nitrokey Start, we have multiple identities support released recently, which makes one device handling three completely separate virtual smart cards (separate PIN, separate data etc.).
I think there were some changes between 2.1 (pre) and the actual 2.1 release. I would ask them about that
May be v2.2 was a version of PGP Card specification inside GNUK I was referring to or even desktop GnuPG 2.2 :), sorry for my mistakes related to GNUK in this topic, I will look into this again later during sorting links to different web sites related to secure cards for opensc.
Gnuk is an implementation of USB cryptographic token for GNU Privacy Guard. Gnuk supports OpenPGP card protocol version 3, and it runs on STM32F103 processor.
Will you support in your newer firmwares further progress or FIDO2 standard & OpenSSH evolution?
I still did not learn the whole principle of work of FIDO2 and OpenSSH plugin for it.
When using FIDO2 token together with OpenSSH, is any private key material being stored beyond FIDO2 token on the disk of the host computer (may be encrypted by FIDO2 own non extractable key)? Can such material be leaked by side channels like emission?
Is then FIDO2 in this term significantly worse than keeping not extractable SSH keys in the NK PRO2 than partially in FIDO2?