Configuring a YubiKey for ssh resident keys
FIDO/U2F OpenSSH keys consist of two parts: a 'key handle' part stored in the private key file on disk, and a per-device private key that is unique to each FIDO/U2F token and that cannot be. Fingerprint recognition. Biometric technology makes BioPass FIDO2 Security Key one of the most secure tokens. The fingerprint module prevents any misuses of the token from people other than authorized user, and losing the key will cause no security risk at all.
One of the most exciting security-related developments recently has been the development of WebAuthn and FIDO2, which are basically euphemisms for 'nice security stuff'. In summary, WebAuthn and FIDO2 aim to make it really easy to use security devices with stuff by standardizing the way the two talk to each other, and using better. Ssh-keygen -t ed25519-sk -Oapplication=ssh:greater -f /.ssh/ed25519skgreater Generating the resident handle. Because resident keys allow for the handle to be downloaded from the token, I have changed the PIN on my token. The PIN is the only defense against a stolen key. Note: the PIN can be a full passphrase! Again via ssh-keygen. The term WebAuthn is sometimes used instead of FIDO2, essentially WebAuthn is the web browser standard and is part of the larger FIDO2 project. OnlyKey works just like any other FIDO2 or FIDO U2F token. The first step to use a security key is to register the key and then once registered you can login to that site with the key.
- Creating keys
- Using the token
- Resident
If you haven't heard, OpenSSH recently ([2020-02-14 Fri]) gained support forFIDO2/U2F hardware authenticators like the YubiKey 5!
This allows one to log into remote hosts with the touch of a button and itmakes me feel like I am living in the future!
Some of these hardware tokens even support multiple slots, allowing one tohave multiple keys!
On top of all that, the tokens can do 'resident' and 'non-resident'keys. 'Resident' means that the key is effectively retrievable from thetoken (it doesn't actually get the key - it's a handle that lets one use thehardware key on the device).
This got me thinking about how I could use a single token (with two keys) toaccess the various machines I use.
In my use case, I have two types of machines I want to connect to:
- greater security: machines I want to grant access to from a very selectnumber of devices.
The greater key will require me to copy the 'key handle' to the machines Iwant to use it from.
- lesser security: machines I want to access from devices that may not be assecure.
The lesser key will be 'resident' to the YubiKey. This means it can bedownloaded from the YubiKey itself. Because of this, it should be trusted abit less.
When creating FIDO keys (really they are key handles) one needs to explicitlytell the tool being used that it needs to pick the next slot. Otherwisegenerating the second key will clobber the first!
Ssh-keygen Fido2
Generating the non-resident handle
greater will require me to send the ~/.ssh/ed25519_sk_greater handle to thevarious hosts I want to use it from.
We will be using ssh-keygen to create our resident key.
Generating the resident handle
Because resident keys allow for the handle to be downloaded from the token,I have changed the PIN on my token. The PIN is the only defense against astolen key. Note: the PIN can be a full passphrase!
Again via ssh-keygen.
Ssh Fido2 Login
Resident
The resident key can be used by adding it to ssh-agent or by downloadingthe handle / public key using ssh-keygen:
Transient usage with ssh-add
This will prompt for the PIN (which should be set as it's the only defenseagainst a stolen key!)
No handle files will be placed on the machine you run this on. Handy formachines you want to ssh from but don't fully trust.
Permanent usage with ssh-agent
This will also prompt for the PIN, however, it will create the private keyhandle and corresponding public key and place them in $CWD.
Ssh Key Fido2
Non-resident
The non-resident key will only work from hosts that have the handle (in our case~/.ssh/ed25519_sk_greater). As such, the handle must be copied to the machinesyou want to allow access from.
Once the handle is in place, you can specify it's usage in ~/.ssh/config:
- Creating keys
- Using the token
- Resident
If you haven't heard, OpenSSH recently ([2020-02-14 Fri]) gained support forFIDO2/U2F hardware authenticators like the YubiKey 5!
This allows one to log into remote hosts with the touch of a button and itmakes me feel like I am living in the future!
Some of these hardware tokens even support multiple slots, allowing one tohave multiple keys!
On top of all that, the tokens can do 'resident' and 'non-resident'keys. 'Resident' means that the key is effectively retrievable from thetoken (it doesn't actually get the key - it's a handle that lets one use thehardware key on the device).
This got me thinking about how I could use a single token (with two keys) toaccess the various machines I use.
In my use case, I have two types of machines I want to connect to:
- greater security: machines I want to grant access to from a very selectnumber of devices.
The greater key will require me to copy the 'key handle' to the machines Iwant to use it from.
- lesser security: machines I want to access from devices that may not be assecure.
The lesser key will be 'resident' to the YubiKey. This means it can bedownloaded from the YubiKey itself. Because of this, it should be trusted abit less.
When creating FIDO keys (really they are key handles) one needs to explicitlytell the tool being used that it needs to pick the next slot. Otherwisegenerating the second key will clobber the first!
Generating the non-resident handle
greater will require me to send the ~/.ssh/ed25519_sk_greater handle to thevarious hosts I want to use it from.
Windows Ssh Fido2
We will be using ssh-keygen to create our resident key.
Generating the resident handle
Because resident keys allow for the handle to be downloaded from the token,I have changed the PIN on my token. The PIN is the only defense against astolen key. Note: the PIN can be a full passphrase!
Again via ssh-keygen.
Resident
The resident key can be used by adding it to ssh-agent or by downloadingthe handle / public key using ssh-keygen:
Transient usage with ssh-add
This will prompt for the PIN (which should be set as it's the only defenseagainst a stolen key!)
Yubikey Ssh Fido2
Again via ssh-keygen.
Ssh Fido2 Login
Resident
The resident key can be used by adding it to ssh-agent or by downloadingthe handle / public key using ssh-keygen:
Transient usage with ssh-add
This will prompt for the PIN (which should be set as it's the only defenseagainst a stolen key!)
No handle files will be placed on the machine you run this on. Handy formachines you want to ssh from but don't fully trust.
Permanent usage with ssh-agent
This will also prompt for the PIN, however, it will create the private keyhandle and corresponding public key and place them in $CWD.
Ssh Key Fido2
Non-resident
The non-resident key will only work from hosts that have the handle (in our case~/.ssh/ed25519_sk_greater). As such, the handle must be copied to the machinesyou want to allow access from.
Once the handle is in place, you can specify it's usage in ~/.ssh/config:
- Creating keys
- Using the token
- Resident
If you haven't heard, OpenSSH recently ([2020-02-14 Fri]) gained support forFIDO2/U2F hardware authenticators like the YubiKey 5!
This allows one to log into remote hosts with the touch of a button and itmakes me feel like I am living in the future!
Some of these hardware tokens even support multiple slots, allowing one tohave multiple keys!
On top of all that, the tokens can do 'resident' and 'non-resident'keys. 'Resident' means that the key is effectively retrievable from thetoken (it doesn't actually get the key - it's a handle that lets one use thehardware key on the device).
This got me thinking about how I could use a single token (with two keys) toaccess the various machines I use.
In my use case, I have two types of machines I want to connect to:
- greater security: machines I want to grant access to from a very selectnumber of devices.
The greater key will require me to copy the 'key handle' to the machines Iwant to use it from.
- lesser security: machines I want to access from devices that may not be assecure.
The lesser key will be 'resident' to the YubiKey. This means it can bedownloaded from the YubiKey itself. Because of this, it should be trusted abit less.
When creating FIDO keys (really they are key handles) one needs to explicitlytell the tool being used that it needs to pick the next slot. Otherwisegenerating the second key will clobber the first!
Generating the non-resident handle
greater will require me to send the ~/.ssh/ed25519_sk_greater handle to thevarious hosts I want to use it from.
Windows Ssh Fido2
We will be using ssh-keygen to create our resident key.
Generating the resident handle
Because resident keys allow for the handle to be downloaded from the token,I have changed the PIN on my token. The PIN is the only defense against astolen key. Note: the PIN can be a full passphrase!
Again via ssh-keygen.
Resident
The resident key can be used by adding it to ssh-agent or by downloadingthe handle / public key using ssh-keygen:
Transient usage with ssh-add
This will prompt for the PIN (which should be set as it's the only defenseagainst a stolen key!)
Yubikey Ssh Fido2
Ssh Pam Fido2
No handle files will be placed on the machine you run this on. Handy formachines you want to ssh from but don't fully trust.
Permanent usage with ssh-agent
This will also prompt for the PIN, however, it will create the private keyhandle and corresponding public key and place them in $CWD.
Non-resident
The non-resident key will only work from hosts that have the handle (in our case~/.ssh/ed25519_sk_greater). As such, the handle must be copied to the machinesyou want to allow access from.
Once the handle is in place, you can specify it's usage in ~/.ssh/config:
