Securing SSH with FIDO U2F (YubiKey) on Debian

FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk”, along with corresponding certificate types. This is supported in OpenSSH from version 8.2.

Debian Buster (stable) delivers version 7.9, so we need to install a newer version via Debian Buster Backports.

If you use Debian unstable or read this when Debian Bullseye is already released you can skip this step.

Edit ‘/etc/apt/sources.list’ add the following line:

deb buster-backports main

Update the package list and update openssh-server:

apt update
apt-get -t buster-backports install "openssh-server"

Now you should have version 8.4 of openssh-server installed on your server.

The next step is to create FIDO U2F keys on your local maschine:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

You may want repeat this step with your backup stick:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk2

You can use these new public keys like your old ones (without FIDO). Just put them on your server:

ssh-copy-id -i ~/.ssh/ YOUR_SERVER_NAME

and repeat for backup stick:

ssh-copy-id -i ~/.ssh/ YOUR_SERVER_NAME

Or you copy the content of the files ‘’ and ‘’ into the file (.ssh/authorized_keys) on your server.

If you previously used a normal public key authentication without FIDO U2F you may want to remove the old key in it.

If you now open a new ssh connection your Yubikey has to be connected to your PC and you have to touch it to establish the connection.


This Post Has One Comment

  1. Vielen dank, war super hilfreich!

Schreibe einen Kommentar

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.