Easily Using SSH with FIDO2/U2F Hardware Security Keys
a year ago
- #SSH
- #FIDO2
- #Security
- New hardware security keys (Yubikey, Nitrokey, Titan) support FIDO2, making SSH authentication easier and more secure.
- FIDO2 keys improve SSH security by ensuring private keys are never exposed and require physical touch for authentication.
- Non-resident keys store only a key handle on the PC, with the actual private key encrypted and inaccessible outside the security key.
- Generating a keypair with `ssh-keygen -t ed25519-sk` or `ecdsa-sk` creates keys that require touching the security key for use.
- SSH agent forwarding becomes safer with security keys, as attackers cannot use forwarded credentials without physical access to the key.
- Multiple security keys can be used with one host by generating separate keypairs for each key and adding all public keys to `authorized_keys`.
- Resident keys store the key handle on the security key itself, but this weakens security and is not recommended without additional PIN protection.
- Setting a FIDO2 PIN on the security key adds an extra layer of security, especially for resident keys.
- Security keys can be used for remote sudo access by adding the key's public key to root's `authorized_keys` file.
- Troubleshooting tips include resetting locked keys by unplugging them and using `ssh -v` for debugging.