FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk”, along with corresponding certificate types. This is supported in OpenSSH from version 8.2.
Debian Buster (stable) delivers version 7.9, so we need to install a newer version via Debian Buster Backports.
If you use Debian unstable or read this when Debian Bullseye is already released you can skip this step.
Edit ‘/etc/apt/sources.list’ add the following line:
deb http://deb.debian.org/debian buster-backports main
Update the package list and update openssh-server:
apt update apt-get -t buster-backports install "openssh-server"
Now you should have version 8.4 of openssh-server installed on your server.
The next step is to create FIDO U2F keys on your local maschine:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
You may want repeat this step with your backup stick:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk2
You can use these new public keys like your old ones (without FIDO). Just put them on your server:
ssh-copy-id -i ~/.ssh/id_ecdsa_sk.pub YOUR_SERVER_NAME
and repeat for backup stick:
ssh-copy-id -i ~/.ssh/id_ecdsa_sk2.pub YOUR_SERVER_NAME
Or you copy the content of the files ‘id_ecdsa_sk.pub’ and ‘id_ecdsa_sk2.pub’ into the file (.ssh/authorized_keys) on your server.
If you previously used a normal public key authentication without FIDO U2F you may want to remove the old key in it.
If you now open a new ssh connection your Yubikey has to be connected to your PC and you have to touch it to establish the connection.
This Post Has One Comment
Scott13 Dez 2021
Vielen dank, war super hilfreich!