SSH with YubiKey FIDO U2F Authentication

This is the accompanying a guide for the video SSH with YubiKey FIDO U2F Authentication. Of note this should work with other keys that support FIDO U2F such as https://www.nitrokey.com/ & https://solokeys.com/ but do I not have those other keys to test.

First we need to make sure both your client and the servers you are connecting to are running OpenSSH 8.2 or greater. You can use this command to check the version:

ssh -V

The SSH key-pair can be either an ecdsa-sk or an ed25519-sk key-pair. The sk extension stands for security key. Note that an ed25519-sk key-pair is only supported by new YubiKeys with firmware 5.2.3 or higher which supports FIDO2. Use this to check the firmware version of your Yubikey:

lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'

The libsk-libfido2.so middleware library must be present on the host to provide functionality to communicate with a FIDO device over USB, and to verify attestation and assertion signatures.

sudo apt install libfido2-dev

Next we have to create a new SSH ed25519-sk key-pair which is the same as generating a ed25519 key but the sk extension stands for security key.

ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-yubikey1"

Once this is done only part of the key is on your system the other part comes form the FIDO U2F device but it’s not simply read form the device as a value but part of a challenge response from the devices. The enrollment operation returns a public key, a key handle that must be used to invoke
the hardware-backed private key, some flags and signed attestation information that may be used to verify that a private key is hosted on a particular hardware instance.

Full write up of the protocol here: openssh-portable/PROTOCOL.u2f at master · openssh/openssh-portable · GitHub

4 Likes

The video uses a black, full-featured yubikey. Can anyone confirm this work with the cheaper, blue, U2F-only yubikey?

Only if it has fido2. As far as I see, it does.

1 Like

What’s the process to login from a windows machine. I normally use putty but also terminus.

There is a request to get it added to Windows SSH, but as of right now that is not complete.

I can confirm it also works with FIDO 1, available on Yubikey 4 - as long as you use ecdsa-sk.

1 Like

No “touch-ID” on the yubikey correct? It just needs someone to physically press it?

Correct, it’s affirming presence via the touch but not validating who is touching it via any type of bio-metrics.

1 Like

Trying to get this to work with TrueNAS 12.0 stable but it’s still using outdated openssh v7.9. blah…

I have one the first generation of Yubico Security Key with FIDO 1 (blue key). I tried the ecdsa-sk key generation and it worked!

1 Like

I ordered the new Security Key that supports ed25519, I will post if that works…

I generated the ssh keys using the Security Key C NFC by Yubico (blue key), tested ssh login with public key and yubikey FIDO 2 with an ubuntu server installation in a VM… :ok_hand:

This is the key I purchased, I ordered the two-pack to have a backup key: