May 04, 2022
Secure your SSH key with a FIDO2 Authenticator
Requirements
- OpenSSH 8.2p1 or later
- A FIDO2 Authenticator
- For Windows operating system user, always run your terminal in Admin Mode*
* For unknown reason, Win32-OpenSSH up to V8.9.1.0p1-Beta won’t function correctly without running in Admin Mode.
In this tutorial, I am using a YubiKey 5C NFC as my FIDO2 Authenticator
Discoverable Key
Generate Key
You may create your key pair with the steps below:
Connect your FIDO2 Authenticator
Run command in Terminal to generate a discoverable key
1
ssh-keygen -t [key-type] -O resident -O application=ssh:YourFancyKeyNameHere -O verify-required
[key-type]
could be eitherecdsa-sk
ored25519-sk
-O application=ssh:YourFancyKeyNameHere
names the resident key (optional)-O verify-required
will require the PIN for the FIDO2 Authenticator when authenticating with the SSH key generated (optional)
Add-O no-touch-required
then you don’t need to touch your Authenticator (therefore skipping the user presence check)SSH will prompt for the PIN and verify the user presence correspondingly if needed
Your public and private key will be then generated. Rename the private key to
id_ecdsa_sk
orid_ed25519_sk
to make sure your system picks it up automatically.
Use your key with FIDO2 Authenticator on a new local machine
You may safely carry your key pairs in your FIDO2 Authenticator to other devices.
On a new local machine, use steps below to setup key pairs:
- Export key pair from FIDO2 Authenticator
1
ssh-keygen -K
- SSH will prompt for PIN and/or user presence. Pay attention to your authenticator as on some systems there might be no literal indication when user presence is required.
- Rename the private key to
id_ecdsa_sk
orid_ed25519_sk
to make sure your system picks it up automatically.
Install your public key to a remote server
There’s no difference from how you do it on other key types. Just append your public key to the end of ~/.ssh/authorized_keys
, start on a new line.
Advantages
With this you can securely install your private key on a untrusted system. And the exportable key feature makes it easier to carry your keys.
Yubikey: Manage your resident keys
Download and install ykman
.
1 | ./ykman fido credentials list # list all resident keys |