If you are using systems that use SSH 8.2 or higher and use SSH you need to check this out. With security keys, your SSH key can be stolen but as long as they don’t physically get your security key they won’t gain access to your critical systems. In this post, we will explore everything you need to know.
What Is SSH?
SSH stands for Secure Shell, it is one method for providing secure commutation over an untrusted network. It can be used for things like remote shell, file transferring, tunneling, and more.
What Are SSH Keys?
SSH Keys are used in public key authentication where there are a pair of cryptographic keys used for SSH authentication. The SSH key pair consists of two keys, one is a private key and the other is a public key. The ssh private key is meant to be kept private to yourself and the public key is added to the systems you want to gain access to.
What Is A Security Key?
A Security Key is a physical hardware key, that is used for cryptographic operations. This is typically used for authentication, often for two-factor authentication but not exclusively. They require physical access which is a different type of auth to a password (that is something you know).
What Are SK SSH Keys?
For example, we have the SSH key type ed25519-sk, the SK simply stands for security key.
Introduction
With the addition of sk ssh keys being added to OpenSSH, SSH Authentication can be taken to a new level. Unlike previous methods of using security keys for SSH, this method is dead simple. All that changes is during your SSH key generation. So if you ever created an SSH Key the process will look simmular.
If you are using systems that use SSH 8.2 or higher support in most cases support should already be built in. Be aware that not all Linux Distributions have this version of OpenSSH yet, you will primarily on Linux distributions wait to add features for a new OS release.
YubiKeys specifically supports two types of auth for SSH called discoverable credentials vs non-discoverable credentials. Discoverable credentials allow for logging in from any system with just the YubiKey. This can be dangerous if the device gets stolen, so I would recommend avoiding it. This is where non-discoverable credentials shine, as both your computer and YubiKey would need to be stolen to have a chance (if other precautions like full disk encryption are used that change is reduced further).
Requirements
- OpenSSH version 8.2 or higher for both the SSH client and server
- A comparable FIDO Device (for example a YubiKey)
Be Aware
For devices that support more than just FIDO make sure to follow the manufacturers security/configuration recommendations.
For YubiKeys this would primarily be configuring pins discussed here.
If you want to use Security Keys for login make sure to either have another way in or backup FIDO devices in case your primary were to get lost.
Getting Started
- Plug your Fido compatible Security Key into your computer
- Open a terminal
- Run the following command, after replacing [identifier] with an identifier that will identify the key used.
ssh-keygen -t ed25519-sk -C "$(hostname)-$(date +'%d-%m-%Y')-[identifier]"If your Security Key is compatible you will need to go through the steps belowOptional: If you would like to set a key passphrase for the SSH key you can, though it is less necessary than traditional SSH keys because you still need the security key to use the key. Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter PIN for authenticator: You may need to touch your authenticator again to authorize key generation. Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_ed25519_skYour public key has been saved in id_ed25519_sk.pubThe key fingerprint is:SHA256:hjpti4f2xlxr/a3HtcMcHdZZ3gJU3ymjDKNA+CSWMSY hostname-06-06-2024-identifierFor Reference: The Key’s random art image is Excluded due to length - If it isn’t, you will see: Generating public/private ed25519-sk key pair.You may need to touch your authenticator to authorize key generation. Key enrollment failed: invalid format
- Once the key is generated now we need to copy the public SSH key over to the remote server we want to login to. We can do one of two ways.Option 1: Using ss-copy-id Using this method make sure to replace user@host and the public key path if you changed it.
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@hostYou will be prompted for login credentials after running the command.Option 2: Manually copying and pasting the key. First, copy the contents of the public key if you left the name default the path would be:~/.ssh/id_ed25519_sk.pubNext log into the destination server and open ~/.ssh/authorized_keys in your preferred text editor. Paste at the bottom of the file and save. If you end up running into issues with ssh-copy-id or just like this option better - At this point you should be able to test SSH login, you then be able to touch the security key to complete the login.
Conclusion
In the current time filled with security disasters and security incidents, we all need to be more conscious of our security practices than ever. If you are working with servers, one way you can do this is to use sk-type SSH key pairs that require a physical security key in addition to the SSH key. In this blog post, we have discussed how to take your SSH Game to the next level using security keys like the YubiKey, from what you need to know all the way to set up.
Additional Links
Done reading and looking for additional links, why not check these out?
Embracing a lifelong passion for technology since childhood, CJ delved into the intricate workings of systems, captivated by the desire to understand the unknown. This innate curiosity led to his discovery of Linux, a revelation that resonated deeply. With more than 7 years of on the job experience, he’s honed his technical skills as a Geek and Senior Linux Systems Administrator.
Leave a Reply