SSH with YubiKey FIDO U2F Authentication

This is the accompanying a guide for the video SSH with YubiKey FIDO U2F Authentication. Of note this should work with other keys that support FIDO U2F such as https://www.nitrokey.com/ & https://solokeys.com/ but do I not have those other keys to test.

First we need to make sure both your client and the servers you are connecting to are running OpenSSH 8.2 or greater. You can use this command to check the version:

ssh -V

The SSH key-pair can be either an ecdsa-sk or an ed25519-sk key-pair. The sk extension stands for security key. Note that an ed25519-sk key-pair is only supported by new YubiKeys with firmware 5.2.3 or higher which supports FIDO2. Use this to check the firmware version of your Yubikey:

lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'

The libsk-libfido2.so middleware library must be present on the host to provide functionality to communicate with a FIDO device over USB, and to verify attestation and assertion signatures.

sudo apt install libfido2-dev

Next we have to create a new SSH ed25519-sk key-pair which is the same as generating a ed25519 key but the sk extension stands for security key.

ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-yubikey1"

Once this is done only part of the key is on your system the other part comes form the FIDO U2F device but it’s not simply read form the device as a value but part of a challenge response from the devices. The enrollment operation returns a public key, a key handle that must be used to invoke
the hardware-backed private key, some flags and signed attestation information that may be used to verify that a private key is hosted on a particular hardware instance.

Full write up of the protocol here: openssh-portable/PROTOCOL.u2f at master · openssh/openssh-portable · GitHub

The video uses a black, full-featured yubikey. Can anyone confirm this work with the cheaper, blue, U2F-only yubikey?

Only if it has fido2. As far as I see, it does.

What’s the process to login from a windows machine. I normally use putty but also terminus.

There is a request to get it added to Windows SSH, but as of right now that is not complete.

I can confirm it also works with FIDO 1, available on Yubikey 4 - as long as you use ecdsa-sk.

No “touch-ID” on the yubikey correct? It just needs someone to physically press it?

Correct, it’s affirming presence via the touch but not validating who is touching it via any type of bio-metrics.

Trying to get this to work with TrueNAS 12.0 stable but it’s still using outdated openssh v7.9. blah…

I have one the first generation of Yubico Security Key with FIDO 1 (blue key). I tried the ecdsa-sk key generation and it worked!

I ordered the new Security Key that supports ed25519, I will post if that works…

I generated the ssh keys using the Security Key C NFC by Yubico (blue key), tested ssh login with public key and yubikey FIDO 2 with an ubuntu server installation in a VM…

This is the key I purchased, I ordered the two-pack to have a backup key:

Hello,
I was looking for information on the Internet, but I did not find if it is possible to make a backup.
I have in mind 2 Yubikey with the same configuration.
That is, the same private key on two keys.
There is such a possibility ?

No, and that’s by design. But most services will allow you to register more than one key and / or they may have other methods to recover your account, in case you should loose your key. Needless to say, that you should check for the availability of such options before you enable FIDO2 and lose your key

You can make your life easier by using openpgp. I switched from Fido to openpgp on my yubikey. Way more portable. You just need to configure the agent on window. Works good with GitHub, putty, vscode, etc. over all a better experience. Your remote host doesn’t even need to support Fido and nothing to install.