ssh authentication using FIDO/U2F hardware authenticators
From OpenSSH 8.2 release it supports authentication using FIDO/U2F. These tokens are required to implement the ECDSA-P256 "ecdsa-sk" key type, but some (say Yubikey) also supports Ed25519 (ed25519-sk) keys. In this example I am using a Yubikey 5.
I am going to generate a non-discoverable key on the card itself. Means along with the card, we will also have a key on disk, and one will need both to authenticate. If someone steals you Yubikey, they will not be able to login just via that.
✦ ❯ ssh-keygen -t ed25519-sk -f .ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in .ssh/id_ed25519_sk
Your public key has been saved in .ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:CoQKA0blJ8A1xOwri167mIDb7rHxr59TYwI25ChOZ4Y kdas@localhost.localdomain
The key's randomart image is:
+[ED25519-SK 256]-+
|++*= |
|o.o+o |
|o +*.. |
|oE.*B |
|+.+.oo S |
|.o . ...+ |
|+ =. .+ . |
|o++=. .. |
|o*=o+++. |
+----[SHA256]-----+
Here we passed the type of the key using -t
flag and saving the private key
using -f
. I pasted the public key in the server's ~/.ssh/authorized_keys
file, and then also configured the ssh client on my laptop to use that
specified key via the ~/.ssh/config
file.
Host kushaldas.in
HostName kushaldas.in
User kushal
IdentityFile ~/.ssh/id_ed25519_sk
Finally we can login via ssh.
✦ ❯ ssh kushaldas.in
Enter passphrase for key '/home/kdas/.ssh/id_ed25519_sk':
Confirm user presence for key ED25519-SK SHA256:CoQKA0blJ8A1xOwri167mIDb7rHxr59TYwI25ChOZ4Y
User presence confirmed
$
You will notice that after asking for the passphrase of the key, ssh
is
asking to touch the Yubikey to confirm the user presence. You can read more in
the tutorial
from Yubico.
If you miss to touch the Yubikey on time, you will get an error like:
sign_and_send_pubkey: signing failed for ED25519-SK "/home/kdas/.ssh/id_ed25519_sk": invalid format