FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk”, along with corresponding certificate types. This is supported in OpenSSH from version 8.2.
Debian Buster (stable) delivers version 7.9, so we need to install a newer version via Debian Buster Backports.
If you use Debian unstable or read this when Debian Bullseye is already released you can skip this step.
Edit ‘/etc/apt/sources.list’ add the following line:
deb http://deb.debian.org/debian buster-backports main
Update the package list and update openssh-server:
apt update apt-get -t buster-backports install "openssh-server"
Now you should have version 8.4 of openssh-server installed on your server.
The next step is to create FIDO U2F keys on your local maschine:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
You may want repeat this step with your backup stick:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk2
You can use these new public keys like your old ones (without FIDO). Just put them on your server:
ssh-copy-id -i ~/.ssh/id_ecdsa_sk.pub YOUR_SERVER_NAME
and repeat for backup stick:
ssh-copy-id -i ~/.ssh/id_ecdsa_sk2.pub YOUR_SERVER_NAME
Or you copy the content of the files ‘id_ecdsa_sk.pub’ and ‘id_ecdsa_sk2.pub’ into the file (.ssh/authorized_keys) on your server.
If you previously used a normal public key authentication without FIDO U2F you may want to remove the old key in it.
If you now open a new ssh connection your Yubikey has to be connected to your PC and you have to touch it to establish the connection.