• Zur Hauptnavigation springen
  • Skip to main content
  • Zur Fußzeile springen

Sebastian Mogilowski's Blog

Just another blog about administration, linux and other stuff

  • Home
  • Contact
  • Imprint
  • Projects & HOWTOs
  • Publications

Securing SSH with FIDO U2F (YubiKey) on Debian

8. März 2021 by sebastian Kommentar verfassen

FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk”, along with corresponding certificate types. This is supported in OpenSSH from version 8.2.

Debian Buster (stable) delivers version 7.9, so we need to install a newer version via Debian Buster Backports.

If you use Debian unstable or read this when Debian Bullseye is already released you can skip this step.

Edit ‘/etc/apt/sources.list’ add the following line:

deb http://deb.debian.org/debian buster-backports main

Update the package list and update openssh-server:

apt update
apt-get -t buster-backports install "openssh-server"

Now you should have version 8.4 of openssh-server installed on your server.

The next step is to create FIDO U2F keys on your local maschine:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

You may want repeat this step with your backup stick:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk2

You can use these new public keys like your old ones (without FIDO). Just put them on your server:

ssh-copy-id -i ~/.ssh/id_ecdsa_sk.pub YOUR_SERVER_NAME

and repeat for backup stick:

ssh-copy-id -i ~/.ssh/id_ecdsa_sk2.pub YOUR_SERVER_NAME

Or you copy the content of the files ‘id_ecdsa_sk.pub’ and ‘id_ecdsa_sk2.pub’ into the file (.ssh/authorized_keys) on your server.

If you previously used a normal public key authentication without FIDO U2F you may want to remove the old key in it.

If you now open a new ssh connection your Yubikey has to be connected to your PC and you have to touch it to establish the connection.

Links:
https://developers.yubico.com/SSH/

Kategorie: Linux, Systemadministration Stichworte: Buster, debian, FIDO, U2F, Yubikey

Leser-Interaktionen

Schreibe einen Kommentar Antworten abbrechen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.

Footer

Kategorien

  • Allgemein
  • Coldfusion
  • Development
  • Fun
  • General
  • Home automation
  • Homematic
  • Linux
  • Mobile
  • PHP
  • Privat
  • Systemadministration
  • Virtualization
  • Windows
  • Zaurus

© 2021 · Sebastian Mogilowski's Blog · Powered by Imagely