Securing SSH with FIDO U2F (YubiKey) on Debian

FIDO devices are supported by the public key types „ecdsa-sk“ and „ed25519-sk“, along with corresponding certificate types. This is supported in OpenSSH from version 8.2.

Debian Buster (stable) delivers version 7.9, so we need to install a newer version via Debian Buster Backports.

If you use Debian unstable or read this when Debian Bullseye is already released you can skip this step.

Edit ‘/etc/apt/sources.list’ add the following line:

deb http://deb.debian.org/debian buster-backports main

Update the package list and update openssh-server:

apt update
apt-get -t buster-backports install "openssh-server"

Now you should have version 8.4 of openssh-server installed on your server.

The next step is to create FIDO U2F keys on your local maschine:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

You may want repeat this step with your backup stick:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk2

You can use these new public keys like your old ones (without FIDO). Just put them on your server:

ssh-copy-id -i ~/.ssh/id_ecdsa_sk.pub YOUR_SERVER_NAME

and repeat for backup stick:

ssh-copy-id -i ~/.ssh/id_ecdsa_sk2.pub YOUR_SERVER_NAME

Or you copy the content of the files ‚id_ecdsa_sk.pub‘ and ‚id_ecdsa_sk2.pub‘ into the file (.ssh/authorized_keys) on your server.

If you previously used a normal public key authentication without FIDO U2F you may want to remove the old key in it.

If you now open a new ssh connection your Yubikey has to be connected to your PC and you have to touch it to establish the connection.

Links:
https://developers.yubico.com/SSH/

This Post Has One Comment

  1. Vielen dank, war super hilfreich!

Schreibe einen Kommentar

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.