SSH is the default method for systems administrators to log into remote Linux systems. Traditionally, [SSH keys] are secured with a password. This situation can be improved upon by enforcing a second authentication factor - a Yubikey.
After you do this then only someone with both the password and the Yubikey will be able to use the SSH key pair to log into your Linux system.
This guide is a quick start to using a Yubikey with SSH.
Software Versions
You must have SSH version 8.2 or greater on the client (your laptop) and the server (the remote Linux system).
You will also need Yubikey firmware of 5.2.3 if you want to use a ed25519-sk
key. If you version is older then use an ecdsa-sk
key.
You can check your Yubikey’s firmware version with the following command:
lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'
Configure The SSH Server
You will need to configure the SSH server to use the sk
(Security Key) that you will create later. Open your SSH server’s configuration in a text editor:
nano /etc/ssh/sshd_config
Then add this line that includes both of the ed25519-sk
and ecdsa-sk
keys:
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com
Finally, restart SSH
systemctl restart ssh
Create A Key pair
Create an ecdsa key pair with the following command:
ssh-keygen -t ecdsa-sk
Use this command to create an ed25519 key pair:
ssh-keygen -t ed25519-sk
If you get this error Key enrollment failed: requested feature not supported then your Yubikey’s firmware is too old and does not support ed25519-sk keys. Create an ecdsa-sk key pair instead.
This command will place the new key pair into ~/.ssh/
as either:
id_ecdsa_sk.pub
id_ecdsa_sk
Or:
id_ed25519_sk.pub
id_ed25519_sk
Load the public key on your server
You need to place the contents of your public key into the ~/.ssh/authorized_keys
file on your server.
Get the contents of your public key:
cat ~/.ssh/id_ecdsa_sk.pub
or
cat ~/.ssh/id_ed25519_sk.pub
Then log into your server and open the authorized_keys
file:
nano ~/.ssh/authorized_keys
and past the public key line into the file, save and exit.
Then restart SSH:
systemctl restart ssh.service
Using the SSH key with your Yubikey
You can now either use the key directly with the -i
switch e.g.:
ssh -i ~/.ssh/id_ed25519_sk joe@example.com
Or load it into your SSH agent:
ssh-add ~/.ssh/id_ed25519_sk
Then SSH directly:
ssh joe@example.com
Before you can log into the remote system your Yubikey will start to flash its LED prompting you to tap it. After you tap your key you will be able to log in.