Skip to content

Instantly share code, notes, and snippets.

@BlackPropaganda
Created September 22, 2022 21:58
Show Gist options
  • Save BlackPropaganda/44c40f7855a90e289a9477b654e54eb1 to your computer and use it in GitHub Desktop.
Save BlackPropaganda/44c40f7855a90e289a9477b654e54eb1 to your computer and use it in GitHub Desktop.
U2F ECDSA SSH Key Generation using Flipper Zero
#
# U2F SSH key generation and installation guide
#
# install U2F libraries on client machine
sudo apt-get install pamu2fcfg libpam-u2f
#
# Currently, there are only two ciphers that support
# 'special keys' or (sk) this is the notation in the
# output of the 'ssh-keygen --help' command.
#
# The flipper only seems to support ecdsa-sk keys.
#
#
# First, plug in your flipper, launch the U2F extension
# and verify it's connected.
#
lsusb | grep U2F
# the output should look a little like this:
Bus 00x Device 00x: ID xxxx:xxxx STMicroelectronics U2F Token
# To generate U2F-key pair ecdsa-sk id file:
#
ssh-keygen -t ecdsa-sk -f <output file>
# once the command executes, ssh-keygen will hang until you
# touch the center button of the flipper to register the key.
#
# the command output will look like this:
You may need to touch your authenticator to authorize key generation.
# once you tap the flipper, ssh-keygen will prompt for an x509 password
# for the key, this is optional. After this, the key should be generated
# to the output file specified in the parameter in ssh-keygen found above.
#
# to enable pubkey authentication, you must first login to the server via ssh
# or login to it physically.
ssh <user>@<target_host>
# Once the key has been generated, enable pubkey authentication on the server
# this is done by uncommenting a this line in /etc/ssh/sshd_config on the server:
sudo vi /etc/ssh/sshd_config
# or if you like nano ;)
sudo nano /etc/ssh/sshd_config
# uncomment this line in that file:
#PubkeyAuthentication yes
# create ~/.ssh inside of a desired users home directory on the server.
mkdir ~/.ssh; touch ~/.ssh/authorized_keys
# reset the ssh daemon on the server and go back to your host
service sshd restart; exit
# on your local host, register the generated ssh key using this command:
ssh-copy-id -i id_ecdsa_sk.pub <user>@<target_host>
# Then sign in with PAM, after this you are free to
# login to your host with:
ssh -i id_ecdsa_sk <user>@<target_host>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment