Securing SSH with FIDO2 (2024)

• OpenSSH 8.3 or newer

• FIDO2 security key

• YubiKey Manager (for setting the FIDO2 PIN)

• Enhanced Security: The private key is securely generated and stored on the YubiKey and cannot be exported.

• User Presence and Verification: Offers user verification via PIN and user presence through physical touch.

• User Preference or Policy: Extends existing FIDO2 usage when a security key is also being used for web app and desktop sign in.

• Credential Files:

  • Public key file (.pub) shared with the remote host.

  • Private key file in this case doesn’t actually contain the private key. Instead in contains a key handle (Credential ID) which references the private key on the security key.

• ed25519-sk

  • Recommended for better security and performance. Requires firmware 5.2.3 or higher.

• ecdsa-sk

• resident: Store the key handle on the FIDO2 authenticator itself. A PIN should be set on the authenticator prior to generation.

• verify-required: Indicates the private key should require user verification for each signature.

1. Insert the security key.

2. Open a terminal.

3. Generate the ssh credential files:

   ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

4. Enter the PIN and touch the key when prompted.

5. Save the files (id_ed25519_sk and id_ed25519_sk.pub) in the ~/.ssh directory.

   See Also

   How to generate a public key ssh and add it to your trusted key on linuxHow to Find Unencrypted SSH Keys and Encrypt ThemCan SSH Keys Be Stolen? - Gradient Technologies

1. Install OpenSSH via Homebrew:

   brew install opensshsource ~/.profile

2. Insert the security key.

3. Open a terminal and generate the key:

   sudo ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

4. Enter the PIN and touch the key when prompted.

5. Save the files in the ~/.ssh directory.

1. Verify OpenSSH is installed. Get started with OpenSSH for Windows.

2. Insert the security key.

3. Open PowerShell (as administrator) and generate the key:

   ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

4. Enter the PIN and touch the key when prompted.

5. Save the files in the ~/.ssh directory.

1. Insert the key and open a terminal.

2. Change to the SSH directory:

   cd ~/.ssh

3. Regenerate key files from the security key:

   ssh-keygen -K

1. Edit sshd_config:

   1. Open the file (usually at /etc/ssh/sshd_config).

   2. Add:

      PubkeyAuthOptions verify-required

.Save and exit.

1. Restart SSH:

   sudo systemctl restart sshd

1. Open a terminal and use:

   ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@host

1. Copy the public key content.

2. Log in to the server.

3. Open the authorized_keys file:

   nano ~/.ssh/authorized_keys

4. Paste the public key and save.

• For centralized management, store public keys in LDAP (for instance Active Directory) using SSSD.

This example will ssh to GitHub. It assumes the ssh public key has already been added to the GitHub account.

1. . Open a terminal and use:

   ssh -T [email protected]

2. Enter the PIN and touch the key when prompted.

• Restart or log out/in.

• Verify OpenSSH version (ssh -V).

• Check system logs for errors:

  • Ubuntu/Debian:

    tail /var/log/syslog | grep sshd

  • Fedora:

    journalctl -r /usr/sbin/sshd

• Run SSH in debug mode:

  ssh -vvv user@host

• Ensure correct file permissions:

  chmod 600 ~/.ssh/id_ed25519_sk

1. Open a terminal and use:

   ssh-keygen -K

2. Enter the PIN and touch the key when prompted.

3. Compare the newly generated public key to the public key in question

• OpenSSH Manual Pages

• YubiKey Manager Documentation

• libfido2 Project Documentation

• Bundled version of OpenSSH with macOS doesn’t support FIDO2 security keys GitHub Issue

• OpenSSH’s protocol for U2F/FIDO security keys