How to use YubiKeys with SSH keys in 2-step verification?

Question

I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread. Two step verification would be very good: password for the private key and Fido U2F verification too. I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login. My motivation is that I forget so often my passwords which are very long if used in 1-step verifications. 1-step verification is also weak itself although how long and difficult the password is. Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.

Ticket sent to YubiKey team 22nd Feb 2017

Dear Sir/Madam, 

We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment. 

Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

Best regards, 
Leo

OS: Debian 8.7
Hardware: Asus Zenbook UX303UB
Tickets: #2319 (Jakuje)
Fido U2F key: YubiKey 4

score 5 · Answer 1 · answered Feb 22 '17 at 11:11

5

You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.

If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.

answered Feb 22 '17 at 11:11

Jakuje

20,974
7
51
70

1

I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues? – Léo Léopold Hertz 준영 Feb 22 '17 at 11:24
1

There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update). – Jakuje Feb 22 '17 at 11:28
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team? – Léo Léopold Hertz 준영 Feb 22 '17 at 11:29
1

I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments. – Jakuje Feb 22 '17 at 11:31
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly. – Léo Léopold Hertz 준영 Feb 22 '17 at 11:38

score 1 · Answer 2 · answered May 27 '20 at 22:55

As it turns out this is now becoming possible. It's recent and there's a few limitations.

It relies on libfido2, enables the use of a "new" key type ecdsa-sk (sk meaning security key) and requires the server to support this key type as well.

As of this morning (1st November 2019), OpenSSH now has experimental U2F/FIDO support, with U2F being added as a new key type "[email protected]" or "ecdsa-sk" for short (the "sk" stands for "security key"). https://marc.info/?l=openssh-unix-dev&m=157259802529972&w=2

This code was released on OpenSSH 8.2 https://www.openssh.com/txt/release-8.2

score 0 · Answer 3 · answered Apr 14 '17 at 06:06

Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys. I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.

Karol Zlot · Answer 4 · 2019-01-20T05:09:34.620

0

Method using pam_ssh + pam_yubico: http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/

Alternatively: I am not sure if it is what you need, but Teleport supports U2F

It is open source

edited Jan 20 '19 at 05:09

answered Jan 20 '19 at 05:00

Karol Zlot

101
2

Hi, Welcome, avoid providing external websites, as these links may not valid in future – TPS Jan 20 '19 at 06:10

How to use YubiKeys with SSH keys in 2-step verification?

4 Answers4