Is there any mechanism to forward access to a U2F/FIDO security key (such as a Yubikey) over SSH? I'd like to be able to use my local security key to authorize sudo access on a remote host.
Asked
Active
Viewed 1,845 times
1 Answers
2
There isn't native support for this in SSH, but there are some possibilities.
If you can cause the security key to be read over a Unix socket, you can forward a Unix socket over SSH in recent versions. That, of course, depends on what tooling you're using to read it.
Alternately, if you're using the latest OpenSSH (8.2), there's built-in support for FIDO security keys, and the SSH agent should know how to handle them. If you use Debian's libpam-ssh-agent-auth on the server, then you can authenticate with your FIDO2 ssh key via your forwarded agent.
bk2204
- 3,571
- 5
- 9
-
1Turns out that currently (Nov 2021) the solution with libpam-ssh-agent-auth does work, however, not with ecdsa-sk or ed25519-sk key types as they are not recognized by libpam-ssh-agent-auth. So you can use FIDO for ssh login, but then would have to fallback to another ssh key type for sudo auth. – nebulon42 Nov 01 '21 at 14:49