In recent months, I have been researching and documenting procedures for securing SSH (Secure Shell) Access to servers and my goal is to choose the best solution that is most secure and also most convenient to use.
On the security front, it needs to have 2FA (two-factor authentication), for example, but I hate typing those 6-digit numbers from Google Authenticator or Approving security prompts from the Microsoft Authenticator App, every time I log in to a new server. This gravitated me towards one solution that I liked the most, from my time working as a DBA (Database Application) Consultant for Google.
Google uses USB Hardware keys made by Yubico for 2FA. You must touch the key when there is a 2FA request to approve. There is no need to type 6-digit numbers, just touch the key after you enter your password. The Yubico USB key automatically signs the request using the cert stored in the physical key. It’s part of Google’s Zerotrust Infrastructure and every new connection (SSH or Web) is protected by 2FA and the 2FA is just a simple touch to the USB.
So my search went in that direction, as I wanted to implement similar technology for our current customers. I found that Google and Yubico developed this tech into their own open standard called Universal 2nd Factor (U2F). This open standard was brought under the umbrella of FIDO Alliance and mixed with WebAuthn, which is geared toward website authentication. During Apple’s, this month’s announcement at WWDC (2022 Apple Worldwide Developers Conference) around PassKeys also falls in the same WebAuthn/U2F category. These developments show that this new standard is here to stay and will shape the next generation of Authentication/2FA Technology.
Yubico already has a product called Security Key that supports these new technologies U2F/WebAuthn. These come in both USB-A, USB-C and, NFC connectivity. There are other vendors that manufacture keys that support the same standards namely SoloKeys and TrustKey. I could buy one of those Yubico Security Keys on Amazon and here is the link to the one I got “Yubico FIDO Security Key C NFC”
In this blog, I like to show you, how to use one of these FIDO/U2F Compliant Hardware Security keys to SSH from a Macbook to a centos9 Linux Server. These keys require new encryption algorithms ed25519-SK and ecdsa-sk to work and these algorithms are included in OpenSSH from version 8.2 and above.
% ssh -Q key|grep ^sk
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
If you have OpenSSH version 8.2 or above on your server and client, then in theory you should be able to start using these keys. As always, Apple is a special case, and Macs even though they have OpenSSH v8.6, have Fido protocol disabled by default. On Mac, you can install the latest OpenSSH easily using the brew command. If you don’t have the brew command, then you can get it from the Homebrew website. Homebrew is a Package Manager for Mac, similar to rpm/DNF/apt on Linux. It makes life easy to get software onto your Mac.
% brew install openssh
% /usr/local/bin/ssh -V
OpenSSH_9.0p1, OpenSSL 1.1.1o 3 May 2022
The rest of the steps is very similar to how we normally generate an SSH Key and upload the public key to the server and add it to the authorized_keys file on the server. Note that, If you are using the Red Hat variant of Linux, then the appropriate version of OpenSSH is included from Redhat 9/CentOS 9/Oracle Linux 9 onwards
Generate the key using the below commands. You need to have your security key plugged in and touch the key when it prompts you to generate the private key and public key files. Note that this private key is of no use if you lose the hardware security key. You need both the private key (first factor) and the hardware key (second factor) to login into the server.
% /usr/local/bin/ssh-keygen -t ed25519-sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Add the public key (contents of .pub file) to the server-authorized key file ( ~/.ssh/authorized_keys ) and make sure permissions are 600 on that file. Then you should be able to log in with your Fido key
% /usr/local/bin/ssh -i /path/to/private_key_file vasu@10.1.1.101
Confirm user presence for key ED25519-SK SHA256:xxxxxxxyyyyyyzzz ← Need to touch Yubi Key at this step, to let it decrypt the private key and let you login
User presence confirmed
Last login: Wed Jun 8 23:34:33 2022 from 10.1.1.188
[vasu@centos9 ~]$ hostname
centos9.home.local
In summary, this whole U2F/FIDO hardware token technology is very promising. Google and Microsoft already support it for their email offerings Gmail and Outlook. Apple just came on board with their own flavor called Passkeys. Hope to see it in action in more areas soon.