Passwordless SSH login with YubiKey and FIDO2
How to use your YubiKey with OpenSSH to authenticate securely against servers without a password.
I am using a YubiKey for quite some time now for my most valuable accounts:
- Google Account
- Bitwarden
These are the most important ones. If you obtain control over my Google account you can reset every password for every service I am registered with.
Bitwarden stores my actual passwords so pretty important as well.
That was about it what I use my YubiKey 5 NFC for. I was asking myself what else can I do with this key, especially for my servers which I need to connect to via SSH. Looks like quite a lot!
YubiKey SSH Key login methods
YubiKeys allow a few different methods to make your ssh login more secure.
OTP
This will just give you the option to add a second factor with a One Time Password. Boring. And not as secure and more suited to a more legacy version of OpenSSH.
PIV
Personal Identity Verification. This is more suited to an enterprise where you want to centrally manage all your keys. Overkill for a homelab.
PGP
I looked briefly into this and watched a few videos. Honestly, this seems to be very complex as everything with PGP that I came across. A lot of folks say that PGP is a major pain in your behind. You certainly can use your YubiKey with PGP and SSH.
I will pass for now.
FIDO2 - The Cool Stuff
Let's go to the coolest and easiest solution for private use in my opinion: FIDO2 which stands for Fast Identity Online.
You can create 2 different keys. Be sure to create a FIDO2 PIN for the YubiKey. This can be done with the YubiKey Manager via CLI or GUI. And write that PIN down. If you lose that you are in trouble like me.😏
You can reset the PIN anytime, but then all your U2FA will be reset as well. So be careful. I was an idiot so you don't have to be.
Anyway, let's go forward with the 2 types of keys.
You have discoverable Credentials and non-discoverable Credentials.
| Discoverable Credential | Non-Discoverable Credential |
|---|---|
| openssh-server >8.3 | openssh-server >8.2p1 |
No private key in ~/.ssh |
Creates a private key in ~/.ssh |
| Can be used by someone who finds the YubiKey | The YubiKey itself is useless |
| Portable | Less portable |
I also checked for you which commonly used server distros has which openssh-server version:
| Operating System | open-ssh server version |
|---|---|
| Ubuntu 22.04 LTS (Jammy) | 8.9p1-3 |
| Debian 11 (Bullseye) | 8.4p1 |
| Ubuntu 20.04 LTS (Focal) | 8.2p1 |
| Debian 10 (Buster) | 7.9p1 |
| Ubuntu 18.04 LTS (Bionic) | 7.6p1 |
| Debian 9 (Stretch) | 7.4p1 |
Discoverable Credential
This will use the YubiKey as your SSH key. Meaning as long as you have your YubiKey plugged in you can SSH into your servers. You can take the key to another system and you are still able to log in via SSH since the YubiKey is your SSH key. Pretty amazing. I would like to do just that!
Unfortunately, my YubiKey 5 NFC does have an older firmware (5.1.2) and can not do this. Also, you can not update YubiKey Firmware. What a bummer. 😞
Non-Discoverable Credential
This will create an SSH key on your local system in ~/.ssh but only works together with the YubiKey. So if I remove my YubiKey or lose the YubiKey altogether I can not use this SSH key anymore. That also means other people can not use this YubiKey on their machines. But that also means I have to copy this private key to all of the servers I want to use this on.
You can basically create two types of keys here:
ecdsa-sked25519-sk
The -sk stand for security key. Since I use an id_ed25519 already (because of reasons) I thought let's go with that one. Nope. Again my firmware was too old. You have to have at least a YubiKey with version 5.2.3. Everything below can only do ecdsa-sk.
Meh, then let's use the ecdsa-sk version:
ssh-keygen -t ecdsa-sk -C "test"
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator:
You may need to touch your authenticator (again) to authorize key generation.
Enter file in which to save the key (/home/andrej/.ssh/id_ecdsa_sk): test
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test
Your public key has been saved in test.pub
The key fingerprint is:
SHA256:Qc1skzFfEyvlE0mwpteOEOckgPcAjevgF3vXF62hgBQ test
The key's randomart image is:
+-[ECDSA-SK 256]--+
| .=E=oo.oBo |
| o.=.Bo =.+ |
| +.=o.B +. |
| . o ..oO oo..|
| . o oS ooo..+ |
| . + . .oooo |
| . . . ... |
| |
| |
+----[SHA256]-----+
I did not use a password since I want to only touch the YubiKey when using SSH. Now I copied my public key over to my server. Tried SSH and the YubiKey is flashing. One tap and I am on my server. How cool is that!
I have to say this is pretty cool. I am still a bit bumped out that I can not use the Disvocerable Keys, but I do not want to spend another 50 Euros or more to get a second YubiKey.
If you have a YubiKey or any other FIDO2 standard security key give this a go.
Sources
❤️ Enjoy the newsletter?
Forward to a friend and let them know where they can subscribe (it is here).
Questions or feedback? Hit reply to send me a mail and say hello.
Have a great day!
