Saturday July 31 2021

Using a FIDO U2F hardware key with SSH

Rotating my SSH keys the other day I stumbled upon the ed25519-sk type, which I hadn’t seen before, checked the ssh-keygen man page and sure enough there it was referencing support for FIDO authenticators.

On OpenBSD, I was able to just plug in my ( now quite old ) YubiKey, it only supports FIDO U2F and have this work out of the box.

$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_ecdsa_sk
Your public key has been saved in ~/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:3rbmWRGeHcLOkGSPYHbY+lgYV43V1iBxpdpjKitA+pk mitch@t495s
The key's randomart image is:
+-[ECDSA-SK 256]--+
|        +o+.+=++o|
|       oo=o=.o..+|
|         =+ = o. |
|      . o .= B . |
|     o  S+  B =  |
|    . .....  + . |
|     . +. + o    |
|      E ...*     |
|         +=      |
+----[SHA256]-----+
$

A quick tap of the hardware key and it finished generating the key. If you have OpenSSH 8.2 or newer you should be able to add the key to your ~/.ssh/authorized_keys without any issue and have the machine pick up on it

This appears to work without much issue on most modern Linux distributions as well. My Void Linux system only needed openssh-sk-helper to be installed. Ubuntu 20.04 worked out of the box.

SSH Server considerations

Many popular Linux distributions in corporate environments such as CentOS and Debian are going to be shipping old patched versions of OpenSSH. As such these keys aren’t recognized by CentOS 7 or even the more recent CentOS 8. I imagine the same is true for their RHEL counterparts.

Hardware Options

This should work with the inexpensive Solo Keys the Yubico security keys. As well as the Yubikey 5.