A Short Guide To Using A Yubikey For SSH Authentication

SSH is the default method for systems administrators to log into remote Linux systems. Traditionally, [SSH keys] are secured with a password. This situation can be improved upon by enforcing a second authentication factor - a Yubikey.

After you do this then only someone with both the password and the Yubikey will be able to use the SSH key pair to log into your Linux system.

This guide is a quick start to using a Yubikey with SSH.

Software Versions

You must have SSH version 8.2 or greater on the client (your laptop) and the server (the remote Linux system).

You will also need Yubikey firmware of 5.2.3 if you want to use a ed25519-sk key. If you version is older then use an ecdsa-sk key.

You can check your Yubikey’s firmware version with the following command:

lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'

Configure The SSH Server

You will need to configure the SSH server to use the sk (Security Key) that you will create later. Open your SSH server’s configuration in a text editor:

nano /etc/ssh/sshd_config

Then add this line that includes both of the ed25519-sk and ecdsa-sk keys:

PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com

Finally, restart SSH

systemctl restart ssh

Create A Key pair

Create an ecdsa key pair with the following command:

ssh-keygen -t ecdsa-sk

Use this command to create an ed25519 key pair:

ssh-keygen -t ed25519-sk

If you get this error Key enrollment failed: requested feature not supported then your Yubikey’s firmware is too old and does not support ed25519-sk keys. Create an ecdsa-sk key pair instead.

This command will place the new key pair into ~/.ssh/ as either:

id_ecdsa_sk.pub
id_ecdsa_sk

Or:

id_ed25519_sk.pub
id_ed25519_sk

Load the public key on your server

You need to place the contents of your public key into the ~/.ssh/authorized_keys file on your server.

Get the contents of your public key:

cat ~/.ssh/id_ecdsa_sk.pub
or
cat ~/.ssh/id_ed25519_sk.pub

Then log into your server and open the authorized_keys file:

nano ~/.ssh/authorized_keys

and past the public key line into the file, save and exit.

Then restart SSH:

systemctl restart ssh.service

Using the SSH key with your Yubikey

You can now either use the key directly with the -i switch e.g.:

ssh -i ~/.ssh/id_ed25519_sk joe@example.com

Or load it into your SSH agent:

ssh-add ~/.ssh/id_ed25519_sk

Then SSH directly:

ssh joe@example.com

Before you can log into the remote system your Yubikey will start to flash its LED prompting you to tap it. After you tap your key you will be able to log in.