All Linux and Unix servers are managed manually or by automation instruments similar to Ansible utilizing ssh. For instance, say you may have a server at Linode or AWS. Then you definately copy your public ssh key to a distant cloud server. As soon as copied, now you can login to these servers with out a password so long as ssh keys are matched. It’s the greatest observe. Sadly, you aren’t defending ssh keys saved on an area desktop or dev machine at $HOME/.ssh/ listing. In case your keys are stolen, an attacker can get entry to your whole cloud servers, together with backup servers. To keep away from this mess, we will defend our ssh keys saved on native dev/desktop machines utilizing bodily safety keys similar to YubiKey.
In each instances, it’s good to insert your YubiKey (or any FIDO2 suitable {hardware} key) right into a USB port and full the authentication. In different phrases, ssh login is not going to work when malware or attacker has stolen your passphrase and ssh keys as they can’t insert YubiKey and press the button on it to finish OTP for ssh keys.
Commercial
Within the company surroundings, we’ve got a bastion host that permits ssh entry with Yubikey. It’s a special-purpose server on a community particularly designed and configured to face up to assaults. The server typically hosts an sshd course of, and all different providers are eliminated. As soon as logged into bastion host, you may entry all different cloud servers simply.
What’s a YubiKey?
The YubiKey is a {hardware} authentication system manufactured by Yubico to guard entry to computer systems, networks, and on-line providers that helps one-time passwords, public-key cryptography, authentication, and the Common 2nd Issue (U2F) and FIDO2 protocol. See how Yubikey works for extra particulars.
FIDO/U2F OpenSSH help
It will be greatest to have at the very least OpenSSH model 8.2 or above put in on each consumer and server. OpenSSH model 8.2 or above provides help for FIDO/U2F {hardware} authenticators to OpenSSH. U2F/FIDO are open requirements for cheap two-factor authentication {hardware} which might be broadly used for web site authentication. In OpenSSH, FIDO units are supported by new public key varieties “ecdsa-sk” and “ed25519-sk”, together with corresponding certificates varieties.
Linux/Unix/macOS desktop necessities
- OpenSSH model 8.2+
- Linux/Unix/macOS/*BSD working system
My ssh consumer and server arrange
Here’s what I’ve on my Linux desktop and server fetched utilizing the ssh command. For instance”# Get my consumer/desktop facet Linux information
$ ssh -V
$ lsb_release -a
#
# Get my server facet information
#
$ ssh linode-nixcraft-01 -- lsb_release -a
$ ssh linode-nixcraft-01 -- dpkg --list | grep openssh-server
Discovering YubiKey firmware model
Is YubiKey detected on my Linux? Run the lsusb command:$ lsusb | grep Yubico
Here’s what I see:
Bus 001 System 022: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
Now go the USB ID (1050:0407) as follows to seek out out different information about the important thing:$ lsusb -d 1050:0407 -v 2>/dev/null
$ lsusb -d 1050:0407 -v 2>/dev/null | extra
# simply record the firmware model
$ lsusb -d 1050:0407 -v 2>/dev/null | grep -i bcddevice
My firmware model:
bcdDevice 5.12
Creating a brand new YubiKey U2F/FIDO2 protected ssh key pair
On the desktop (dev) laptop, generate a key pair for the protocol as follows. First, insert the YubiKey in USB port after which kind:$ ssh-keygen -t ecdsa-sk # Older YubiKey firmware
$ ssh-keygen -t ed25519-sk # YubiKey firmware model 5.2.3+ wanted
# For instance, set ssh key path (-f) and remark (-C)
$ ssh-keygen -t ecdsa-sk
-f ~/.ssh/linode_bastion_host_id_ecdsa_sk
-C "${USER}@${HOSTNAME}_$(date +'%Y-%d-%m')_YubiKey"
click on to enlarge
A observe about enrollment error
On older firmware model, you’re going to get an error when your run ssh-keygen -t ed25519-sk command that learn as follows when your YubiKey model doesn’t help the kind of key:
Producing public/personal ed25519-sk key pair. It's possible you'll want to the touch your authenticator to authorize key era. Key enrollment failed: requested function not supported
Instance for the ed25519-sk ssh key kind
My YubiKey firmware model is as follows:$ lsusb -d 1050:0407 -v 2>/dev/null | grep -i bcddevice
bcdDevice 5.43
Allow us to create it utilizing the ssh-keygen command. As an example:$ ssh-keygen -t ed25519-sk
-f ~/.ssh/AWS_bastion_host_id_ed25519-sk
-C "${USER}@${HOSTNAME}_$(date +'%Y-%d-%m')_YubiKey"
Pattern outputs:
Producing public/personal ed25519-sk key pair. It's possible you'll want to the touch your authenticator to authorize key era. Enter passphrase (empty for no passphrase): Enter similar passphrase once more: Your identification has been saved in /residence/vivek/.ssh/AWS_bastion_host_id_ed25519-sk Your public key has been saved in /residence/vivek/.ssh/AWS_bastion_host_id_ed25519-sk.pub The important thing fingerprint is: SHA256:wseSOr11MY7X030OiOfjRx5mMIwSPt9GL8yMBRqbmy0 vivek@nixcraft-wks01_2021-16-08_YubiKey The important thing's randomart picture is: +[ED25519-SK 256]-+ | | | o . | | . * + | | . oB . * | | = SBoO + | | o +Eo+=Bo*. | | o . o.=.=*o.o| | . o o o..oo.| | . .oo .| +----[SHA256]-----+
Copy and set up the general public ssh key
Subsequent, you may run the scp/rsync or ssh-copy-id command to repeat your public key file to your account on the distant server:$ ssh-copy-id -i ~/.ssh/linode_bastion_host_id_ecdsa_sk.pub
vivek@linode-nixcraft-01
For AWS:$ ssh-copy-id -i ~/.ssh/AWS_bastion_host_id_ed25519-sk.pub
vivek@aws-nixcraft-bastion-elb-001
Pattern session (chances are you’ll be promoted for the password):
/usr/bin/ssh-copy-id: INFO: Supply of key(s) to be put in: "/residence/vivek/.ssh/linode_bastion_host_id_ecdsa_sk.pub" /usr/bin/ssh-copy-id: INFO: making an attempt to log in with the brand new key(s), to filter out any which might be already put in /usr/bin/ssh-copy-id: INFO: 1 key(s) stay to be put in -- in case you are prompted now it's to put in the brand new keys Variety of key(s) added: 1 Now strive logging into the machine, with: "ssh 'vivek@linode-nixcraft-01'" and verify to ensure that solely the important thing(s) you wished have been added.
The above command appended the linode_bastion_host_id_ecdsa_sk.pub public key file to the distant ~/.ssh/authorized_keys file on server named linode-nixcraft-01 the place you wish to login utilizing Yubikey U2F/FIDO2. Make certain replace your ~/.ssh/config file:
Host linode-nixcraft-01 Hostname 1.2.3.4 Person vivek IdentityFile ~/.ssh/linode_bastion_host_id_ecdsa_sk
See how one can use the SSH config file tutorial for more information.
Check it
Now attempt to log in utilizing the important thing (first insert the Yubikey after which kind or hit the Enter key):$ ssh -i ~/.ssh/linode_bastion_host_id_ecdsa_sk
vivek@linode-nixcraft-01
And voila. YubiKey based mostly SSH login will solely work so long as you press the button on the Yubikey. Now you can take away older keys out of your server. See the next man pages utilizing the man command:$ man ssh_config
$ man ssh-keygen
$ man ssh
$ man sshd
Ought to I nonetheless put a passphrase on my ssh key?
Sure. I like to recommend placing a passphrase for all of your ssh keys. Thus now you may have a passphrase and {hardware} key as 2FA.
How do I take care of misplaced or damaged Yubikey?
The entire level of Yubikey is to stop misuse. However it’s human nature, and Yubikey may go damaged or misplaced. To keep away from such an issue, purchase two Yubikeys. Use each keys to generate ssh-key pairs and set up each public keys on distant servers. Then you need to use the backup key when such a necessity arises. Aside from two backup keys, all the time hold verified backups of all vital information, together with your personal and public ssh keys saved in ~/.ssh/ listing.
Summing up
This fast information defined how one can configure two-factor authentication (2FA) with YubiKeys {hardware} USB key on ssh periods to get most doable safety in your ssh-keys. Ensure you learn our my guides revealed on nixCraft, similar to:
When you have any questions or suggestions, be at liberty to go away a remark.
