Saturday July 31 2021
Using a FIDO U2F hardware key with SSH
Rotating my SSH keys the other day I stumbled upon the ed25519-sk
type, which
I hadn’t seen before, checked the ssh-keygen
man
page and sure enough there it was
referencing support for FIDO authenticators.
On OpenBSD, I was able to just plug in my ( now quite old ) YubiKey, it only supports FIDO U2F and have this work out of the box.
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_ecdsa_sk
Your public key has been saved in ~/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:3rbmWRGeHcLOkGSPYHbY+lgYV43V1iBxpdpjKitA+pk mitch@t495s
The key's randomart image is:
+-[ECDSA-SK 256]--+
| +o+.+=++o|
| oo=o=.o..+|
| =+ = o. |
| . o .= B . |
| o S+ B = |
| . ..... + . |
| . +. + o |
| E ...* |
| += |
+----[SHA256]-----+
$
A quick tap of the hardware key and it finished generating the key. If you have
OpenSSH 8.2 or newer you should be able to add the key to your
~/.ssh/authorized_keys
without any issue and have the machine pick up on it
This appears to work without much issue on most modern Linux distributions as
well. My Void Linux system only needed openssh-sk-helper
to be installed.
Ubuntu 20.04 worked out of the box.
SSH Server considerations
Many popular Linux distributions in corporate environments such as CentOS and Debian are going to be shipping old patched versions of OpenSSH. As such these keys aren’t recognized by CentOS 7 or even the more recent CentOS 8. I imagine the same is true for their RHEL counterparts.
Hardware Options
This should work with the inexpensive Solo Keys the Yubico security keys. As well as the Yubikey 5.