BlackPropaganda/U2F_ssh_ecdsa.txt

## U2F_ssh_ecdsa.txt
#
# U2F SSH key generation and installation guide
#

# install U2F libraries on client machine
sudo apt-get install pamu2fcfg libpam-u2f

#
# Currently, there are only two ciphers that support
# 'special keys' or (sk) this is the notation in the
# output of the 'ssh-keygen --help' command.
#
# The flipper only seems to support ecdsa-sk keys.
#

#
# First, plug in your flipper, launch the U2F extension
# and verify it's connected.
#
lsusb | grep U2F

# the output should look a little like this:
Bus 00x Device 00x: ID xxxx:xxxx STMicroelectronics U2F Token

# To generate U2F-key pair ecdsa-sk id file:
#
ssh-keygen -t ecdsa-sk -f <output file>

# once the command executes, ssh-keygen will hang until you
# touch the center button of the flipper to register the key.
#
# the command output will look like this:
You may need to touch your authenticator to authorize key generation.

# once you tap the flipper, ssh-keygen will prompt for an x509 password
# for the key, this is optional. After this, the key should be generated
# to the output file specified in the parameter in ssh-keygen found above.
#

# to enable pubkey authentication, you must first login to the server via ssh
# or login to it physically.
ssh <user>@<target_host>

# Once the key has been generated, enable pubkey authentication on the server
# this is done by uncommenting a this line in /etc/ssh/sshd_config on the server:

sudo vi /etc/ssh/sshd_config

# or if you like nano ;)
sudo nano /etc/ssh/sshd_config

# uncomment this line in that file:

#PubkeyAuthentication yes

# create ~/.ssh inside of a desired users home directory on the server.
mkdir ~/.ssh; touch ~/.ssh/authorized_keys

# reset the ssh daemon on the server and go back to your host
service sshd restart; exit

# on your local host, register the generated ssh key using this command:
ssh-copy-id -i id_ecdsa_sk.pub <user>@<target_host>

# Then sign in with PAM, after this you are free to
# login to your host with:

ssh -i id_ecdsa_sk <user>@<target_host>
	#
	# U2F SSH key generation and installation guide
	#

	# install U2F libraries on client machine
	sudo apt-get install pamu2fcfg libpam-u2f

	#
	# Currently, there are only two ciphers that support
	# 'special keys' or (sk) this is the notation in the
	# output of the 'ssh-keygen --help' command.
	#
	# The flipper only seems to support ecdsa-sk keys.
	#

	#
	# First, plug in your flipper, launch the U2F extension
	# and verify it's connected.
	#
	lsusb \| grep U2F

	# the output should look a little like this:
	Bus 00x Device 00x: ID xxxx:xxxx STMicroelectronics U2F Token

	# To generate U2F-key pair ecdsa-sk id file:
	#
	ssh-keygen -t ecdsa-sk -f <output file>

	# once the command executes, ssh-keygen will hang until you
	# touch the center button of the flipper to register the key.
	#
	# the command output will look like this:
	You may need to touch your authenticator to authorize key generation.

	# once you tap the flipper, ssh-keygen will prompt for an x509 password
	# for the key, this is optional. After this, the key should be generated
	# to the output file specified in the parameter in ssh-keygen found above.
	#

	# to enable pubkey authentication, you must first login to the server via ssh
	# or login to it physically.
	ssh <user>@<target_host>

	# Once the key has been generated, enable pubkey authentication on the server
	# this is done by uncommenting a this line in /etc/ssh/sshd_config on the server:

	sudo vi /etc/ssh/sshd_config

	# or if you like nano ;)
	sudo nano /etc/ssh/sshd_config

	# uncomment this line in that file:

	#PubkeyAuthentication yes

	# create ~/.ssh inside of a desired users home directory on the server.
	mkdir ~/.ssh; touch ~/.ssh/authorized_keys

	# reset the ssh daemon on the server and go back to your host
	service sshd restart; exit

	# on your local host, register the generated ssh key using this command:
	ssh-copy-id -i id_ecdsa_sk.pub <user>@<target_host>

	# Then sign in with PAM, after this you are free to
	# login to your host with:

	ssh -i id_ecdsa_sk <user>@<target_host>