Yubikey

Table of Content

Commands

CommandDescription
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visibleprograms slot two with challenge response
ykpamcfg -2 -vstores initial challenge and expected response in ~/,yubico/challenge-

OpenSSH with U2F (Yubikey)

On Feburary 14th 2020, the OpenBSD team released OpenSSH 8.2 which now supports FIDO (Fast Identity Online) U2F security keys

Method 1 (prefered) - key-pair stored locally on client

Preperation

  1. Ensure OpenSSH version is at least 8.2: ssh -V
  2. Check Yubikey firmeware version: lsusb -v | grep -A2 -i yubikco | grep bcddevice
  3. Choose the algorythmen based on Yubikey firmware version
    • Yubikeys with version 5.2.3 and higher support ed25519-sk
    • Yubikeys below version 5.2.3 support ecdsa-sk
  4. The Yubico libsk-libfido2.so middleware libary must be installed on your local host

The sk extention stands for security key

Generate SSH key-pair

After the preperations are done, we can start creating the key-pari

ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-physical_yubikey_number"

Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/$USER/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/$USER/.ssh/id_ed25519_sk
Your public key has been saved in /home/$USER/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:esvq6KPZ5FGttkaYUUeUcf/Oo0hhsRAaB6NKN48kkeo myhostname-13-03-2020-1234567
The key's randomart image is:
+-[ ED25519-SK ]--+
|  ..  ++*o.      |
|  .. ..=oo .     |
| .o =.... . .    |
|.. =.+ . . o .   |
|. . .+o S +   .  |
| E  o..o . . o   |
|    o.+ . .   +  |
|   =.+.+ o . . . |
|  oo=++.o . .    |
+----[SHA256]-----+

Add your SSH key-pair

Next step is to place the pub-key inside of the authorized_keys file on the remote server

$ ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub myfance_remote.server.at -l myuser

Test U2F auth

Now we have it also placed on the remote server and are ready to test it. To do that, just perform your ssh command

$ ssh -i ~/.ssh/id_ed25519_sk.pub myfance_remote.server.at -l myuser
Confirm user presence for key ED25519-SK SHA256:esvq6KPZ5FGttkaYUUeUcf/Oo0hhsRAaB6NKN48kkeo
[Tab your YubiKey U2F Security Key now]
Last login: Fri Jan 13 09:09:09 2021 from 13.37.21.42

Welcome to your Remote-Host

myuser@myfance_remote$

Method 2 - key-pair stored on yubikey

Preperation

Same preperation stepts as the preperation steps in method 1.

Generate SSH key-pair

Add your SSH key-pair

Test U2F auth

Limit to U2F sessions only

If you only want to allow U2F sessions on the remote server, you have to adopt the /etc/ssh/sshd_config file by adding the following line

PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com

Alternatives for Yubikeys

  1. SoloKeys: open-source hardware and firmware u2f keys