SSH with FIDO2 keys on hardware tokens

I recently bought a pair of Token2 FIDO2 hardware security keys. Those are USB/NFC devices to store cryptographic keys on and use them for authentication purposes on various services.

Beside the main purpose of serving as my Passkey supply I’ve set them up to be used for SSH authentication as well.

This is straightforward meanwhile if you meet the prerequisites of using a recent version of SSH (OpenSSH >= 8.3)

Technicalities

SSH authentication by means of cryptographic keys usually works with an asymmetric pair of keys as you might know from tools like PGP. You put your public key part on the server you want to log in to. When opening an SSH session to the server, you provide your private key to sign the authentication challenge given by the server. The server verifies it’s really you by checking the signature of the challenge with your public that you placed on the server earlier.

For the FIDO2 keys, this is slightly different. The private key on your machine is not actually stored on the FIDO2 key. Instead when you create an SSH key to be used with the FIDO2 key you create a reference (key handle) to the FIDO2 hardware key that acts as your private key part.

Generating the SSH Keypair

To make use of your FIDO2 key for SSH you have to generate a new SSH key pair which is associated to your FIDO2 hardware key.

ssh-keygen -t ed25519-sk -O resident -O verify-required -C “Comment”

the option -t ed25519-sk will tell SSH to generate a key using the Elliptic Curve cryptography algorithm. More specifically the ED25519 curve. The suffix “-sk” indicates that this will be a key handle associated with the FIDO authenticator.

the option -O resident tells SSH to store the key handle on the FIDO key itself, the option -O verify-required will require you to press the FIDO key when requested to confirm your physical presence. And finally -C "Comment" should be obviously the comment of the keypair.

putting your new SSH public key on the destination server

As with normal SSH key pairs you just add the contents of your public key to the ~/.ssh/authorized_keys file on the destination server. You can you the ssh-copy-id command for this:

Now you should be able to

login to the remote machine using your passkey

Plug in your FIDO key token and start the ssh connection. You’ll be asked for the PIN of the hardware token to unlock the keystone before the key can be used. If your PIN is correct the token will start blinking and request you to touch it to prove your physical presence.

Using your key on a new machine

Now they you have set up your machine to make use of the FIDO2 key, you might want to use your key on another computer. Since it’s stored on your hardware token, you can use it from any machine without copying your private key onto multiple machines.

All you need to do is to create the respective key handle file and import the public key for your private key on the hardware token. This can be achieved with the ssh-keygen -K command.

This will put two files in the local directory. The file id_ed25519_sk_rk is the password protected key handle file referencing your private key on the FIDO hardware token. The file id_ed25519_sk_rk.pub is the respective SSH PublicKey which you can share with your remote machines.

Your private key is still safely located on the hardware token. The mere key handle file alone can’t be used to establish an SSH connection to remove machines. It requires the hardware token as well.

Manage your Token2 PIN

To manage the PIN of your Token2 keys you can either use a Chrome-based browser or use the fido2-manage tool provided by Token2.

Upscale Videos using open source AI tools

I recently got the question from my uncle whether I can upscale one of his really old videos. The source was a short 10 seconds video with some low quality audio in 320×240 pixel resolution. Likely taken by one of the first video capable digital cameras or a phone many years ago.

I accepted the challenge as I had seen some AI tools like DiffusionBee being able to upscale images with decent quality.

I haven’t found a good free tool to upscale a video directly yet. There are shade free tools out there, but I don’t trust them.

What I ended up doing is exporting each frame of the original video to an image, scale up the images with an open AI model and then stitch them back together to a video.

1.) export each frame of the video to a JPEG file, export sound into a single file

ffmpeg -i input.mp4 ./LOW/frame_%04d.jpg
ffmpeg -i input_video.mpeg -vn ./output_audio.mp3

Directory Structure:

.
├── HIGH
│   ├── upscayl_jpg_realesrgan-x4plus_4x
│   │   ├── frame_0001.jpg
│   │   ├── frame_0002.jpg
│   │   ├── frame_0003.jpg
...
│   │   ├── frame_0254.jpg
│   │   └── frame_0255.jpg
│   ├── upscayl_jpg_remacri_3x
│   ├── upscayl_jpg_ultramix_balanced_3x
│   └── upscayl_jpg_ultrasharp_2x
└── LOW
│   ├── frame_0001.jpg
│   ├── frame_0002.jpg
...
│   ├── frame_0254.jpg
│   └── frame_0255.jpg

2.) Upscale images using AI tool Upscaly

https://upscayl.org/

brew install --cask upscayl

3.) combine new images into a movie

cd ./HIGH/upscayl_jpg_realesrgan-x4plus_4x

ffmpeg -framerate 15 -f image2 -pattern_type glob -i "frame_?.jpg" -i ../../output_audio.mp3 -c:v libx264 -crf 1 -vf scale=2048:2048 -pix_fmt yuv420p -vb 100M ../output_${PWD##/}.mp4

Status

Can I post pictures with a Mastodon app to #WordPress ?

Status

Ok, now testing #IceCubes app from the iPhone with #WordPress status post type

OmniFocus 4 Update odyssey

OmniGroup released a new major version of OmniFocus this week. So I upgraded and installed the new app on my Mac. This replaced the old app and didn’t import the old database. But instead relies on the Sync setup I guess.

I thought that wouldn’t be a problem as I’m using their OmniSync server to sync my database between devices. Entered my OmniSync credentials and thought it would just sync. But instead it asked me for a document decryption passphrase … which I didn’t recall.

Browsing through their help document it appears that when they initially introduced the OmniSync service the device used the account passphrase to encrypt the database before transfer to their server. So the database sits encrypted on their servers.

At some point later I had changed my password for the OmniSync service. But the passphrase for the database encryption didn’t change. Unfortunately I don’t remember the old account password and thus can’t decrypt the database after sync.

The app which still syncs to the server also does not show this password. I can reveal the OmniSync account password on the device, but not the encryption password.

Fortunately I still had the old OmniFocus 3 app on my iPhone with a recent copy of my data. The new OmniFocus 4 installs in parallel on the iPhone and has the same syncing issue as the desktop app. The OmniFocus 3 app can’t export its own backup for import into any of the other app instances. So what now?

I ended up turning off the sync on the OmniFocus 3 app on the phone. Then configured a new sync to my own private WebDav server (NextCloud). Idea was, that I’d sync now via WebDAV instead of the OmniSync service.

On the initial setup I entered my NextCloud username and password and clicked on “Sync”. But that gave me an error message. Because I’m using 2FA on NextCloud I first have to create an app-specific password in NextCloud. Did that and went back to OmniFocus 3 on the iPhone. But in the settings there is no fields for username and password. Just the Server URL for WebDAV. I’m starting to curse silently …

Apparently there is no way to change the credentials once you’ve entered them in OmniFocus … Found one blog entry where someone had to reset their OmniFocus database to get to change the credentials. That is what I definitely want to avoid.

Lucky enough I was able to put the credentials directly into the URL as https://username:password@server.url

This finally enabled the WebDAV sync and uploaded my OmniFocus database to my NextCloud server. I then entered the same settings into the OmniFocus 4 desktop app. Now again it was asking me for a decryption passphrase …

I checked the OmniFocus 3 app on the phone and revealed the password in the WebDav settings. Surprisingly this was a password I recognise. Not the one for my OmniSync account and not the one for my NextCloud account. Nor the app specific NextCloud credentials…. I have no idea where from OmniFocus was pulling this password…

And of course … this password I tried with the OmniSync service for decrypting the database. But it didn’t work either.

At least I’ve got a working sync now after the upgrade to Version 4 …