The following section demonstrates how users can generate new key types and use them to perform authentication. First, users have to attach a device to the system. Next, they need to generate a new key and specify one of the new types. During this process users will get prompted to tap the token to confirm the operation.
user@client:~$ ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/home/user/.ssh/id_ecdsa_sk
Your public key has been saved in
/home/user/.ssh/id_ecdsa_sk.pub
To use these keys all a user needs to do is copy the keys as they would do normally, using ssh-copy-id
. This is done by ensuring the public key is added to ~/.ssh/authorized_keys
file on the system they wish to connect to.
user@client:~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75
*touch yubikey*
[...]
Last login: Mon Mar 30 20:29:05 2020 from 10.0.100.1
user@server:~$