Yubikey
Table of Content
Commands
| Command | Description |
|---|---|
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible | programs slot two with challenge response |
ykpamcfg -2 -v | stores initial challenge and expected response in ~/,yubico/challenge- |
OpenSSH with U2F (Yubikey)
On Feburary 14th 2020, the OpenBSD team released OpenSSH 8.2 which now supports FIDO (Fast Identity Online) U2F security keys
Method 1 (prefered) - key-pair stored locally on client
Preperation
- Ensure OpenSSH version is at least 8.2:
ssh -V - Check Yubikey firmeware version:
lsusb -v | grep -A2 -i yubikco | grep bcddevice - Choose the algorythmen based on Yubikey firmware version
- Yubikeys with version 5.2.3 and higher support ed25519-sk
- Yubikeys below version 5.2.3 support ecdsa-sk
- The Yubico libsk-libfido2.so middleware libary must be installed on your local host
The
skextention stands for security key
Generate SSH key-pair
After the preperations are done, we can start creating the key-pari
ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-physical_yubikey_number"
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/$USER/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/$USER/.ssh/id_ed25519_sk
Your public key has been saved in /home/$USER/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:esvq6KPZ5FGttkaYUUeUcf/Oo0hhsRAaB6NKN48kkeo myhostname-13-03-2020-1234567
The key's randomart image is:
+-[ ED25519-SK ]--+
| .. ++*o. |
| .. ..=oo . |
| .o =.... . . |
|.. =.+ . . o . |
|. . .+o S + . |
| E o..o . . o |
| o.+ . . + |
| =.+.+ o . . . |
| oo=++.o . . |
+----[SHA256]-----+
Add your SSH key-pair
Next step is to place the pub-key inside of the authorized_keys file on the remote server
$ ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub myfance_remote.server.at -l myuser
Test U2F auth
Now we have it also placed on the remote server and are ready to test it. To do that, just perform your ssh command
$ ssh -i ~/.ssh/id_ed25519_sk.pub myfance_remote.server.at -l myuser
Confirm user presence for key ED25519-SK SHA256:esvq6KPZ5FGttkaYUUeUcf/Oo0hhsRAaB6NKN48kkeo
[Tab your YubiKey U2F Security Key now]
Last login: Fri Jan 13 09:09:09 2021 from 13.37.21.42
Welcome to your Remote-Host
myuser@myfance_remote$
Method 2 - key-pair stored on yubikey
Preperation
Same preperation stepts as the preperation steps in method 1.
Generate SSH key-pair
Add your SSH key-pair
Test U2F auth
Limit to U2F sessions only
If you only want to allow U2F sessions on the remote server, you have to adopt the /etc/ssh/sshd_config file by adding the following line
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com
Alternatives for Yubikeys
- SoloKeys: open-source hardware and firmware u2f keys