Answer is simple – Security! Alternatives include storing private keys directly on a workstation – which makes them poorly protected in multitude of attacks. A better option is to use encrypted usb key but leaving inserted and unsealed usb key for a long time is insecure, while inserting it and removing it back and forth all the time is tedious.
YubiKey suits much better for this purpose by making your SSH keys much more secure while maintaining a great user experience.
YubiKey is a hardware security key which provides Universal 2nd Factor (U2F) cryptographic tokens through a USB and/or NFC interface. This means you have to explicitly authorize a new SSH session by tapping the YubiKey. The private SSH key should be useless to a malicious user who does not have access to the physical YubiKey on which the second private key is stored.
The benefit of using a device like this including eliminating phishing, password theft, authentication replay, and lots of other attacks. Since the device authenticates to a specfic realm (server address/URL/etc), an attacker can’t reuse one site’s authentication on another site, which makes phishing impossible. Nobody can steal your password or private key either, since it’s on the device itself and extracting it is impossible. The only plausible attack is physical theft with the device, which is mitigated by making the device ask for a PIN or fingerprint and wiping itself after a few wrong attempts.
Essentially it is like a physical key to the digital world. Just as you use a key to open your front door, you should use this key to gain access to your servers over SSH. You just need to remember to take it with you, and don't lose it!
While it has long been possible to use the YubiKey for SSH via the OpenPGP or PIV features, on Feburary 14th 2020, the OpenBSD team released OpenSSH 8.2 which now supports FIDO (Fast Identity Online) U2F security keys. The direct support in OpenSSH makes it easier to set up, more portable, and it works with any U2F or FIDO2 security key – even older ones.
-
You must have SSH version 8.2 or greater on the client (your computer) and the server (the remote Linux system).
-
ed25519-sk key-pair is only supported by new YubiKeys with firmware 5.2.3 or higher which supports FIDO2. This means YubiKeys with firmware below 5.2.3 are only compatible with ecdsa-sk key-pairs. If possible, generate an ed25519-sk SSH key-pair .
-
It is strongly recommended to use two keys: one primary and one as backup in case the primary gets broken, lost and/or compromised. That's why you should be provided with two keys and one of them will always needs to be stored securely in the office. Therefore, always generate two key-pairs and add them to servers you want to SSH to.
Verify that your YubiKey is genuine and is working correctly: https://www.yubico.com/genuine
It is recommended that you set up a PIN before you add services to your YubiKey. The default pin on Yubikeys is 123456 and 12345678 for the PUK.
Use the YubiKey Manager: https://www.yubico.com/support/download/yubikey-manager It allows PIN setup, to enable/disable functionalities and provides a quick way to identify the model, firmware and serial number of your YubiKey.
If you blocked or lost your PIN, you can reset it with PUK code or you can reset the device: https://developers.yubico.com/PIV/Guides/Device_setup.html
Discoverable Credential or Resident keys means that the key is effectively retrievable from the token (it doesn’t actually get the key - it’s a handle that lets one use the hardware key on the device). The private key and associated metadata is stored in persistent memory on the authenticator, instead of encrypted and stored on your computer.
Take note: storing both parts of a key on a hardware security key increases the likelihood of an attacker being able to use a stolen token device. Do not place the private key on the YubiKey unless you need it. If you do, change the default PIN before creating any resident keys.
$ ssh -V
If your OpenSSH version is older then 8.2 - update it. If newer version isnt avalable in your package manager, you can compile OpenSSH 8.2p1 portable from source:
$ sudo apt-get update && sudo apt-get upgrade -y
$ sudo apt-get install gcc libssl-dev libcbor-dev zlib* make
$ sudo apt-add-repository ppa:yubico/stable
$ sudo apt-get update -y
$ sudo apt-get install libfido2-dev
$ cd /usr/local/src
$ wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
$ tar -zxvf openssh-8.2p1.tar.gz
$ cd /usr/local/src/openssh-8.2p1
$ ./configure --prefix=/usr --with-security-key-builtin
$ make && make install
You will need to configure the SSH server to use the sk (Security Key) that you will create later. Open your SSH server’s configuration in a text editor:
$ nano /etc/ssh/sshd_config
Then add this line that includes both of the ed25519-sk and ecdsa-sk keys:
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com
Finally, restart SSH service
$ systemctl restart ssh
Plug in your security key and run the command:
$ ssh-keygen -t ed25519-sk
The option -t ed25519-sk instructs OpenSSH to create key on a security key instead of a traditional private key file. But this newer and more secure protocal is not supported by all security keys, so if you get this error: Key enrollment failed: requested feature not supported - then your Yubikey’s firmware is too old and does not support ed25519-sk keys. Create an ecdsa-sk key pair instead:
$ ssh-keygen -t ecdsa-sk
This will create two files in your ~/.ssh/ directory:
id_ed25519_sk.pub
id_ed25519_sk (DO NOT SHARE THIS FILE WITH ANYONE)
The first is .pub, which is a normal OpenSSH public key file whose contents you’ll need to paste into the server where you want to login. The second would usually contain the corresponding private key, but in this case it instead contains a “key handle” that references your security key.
Generate key with additional parameters:
$ ssh-keygen -t ed25519-sk -O resident
This works the same as before, except a private part of resident key is easier to import to a new computer because it can be loaded directly from the security key. To use the SSH key on a new computer, make sure you have ssh-agent running and simply run:
$ ssh-add -K
This will load a “key handle” into the SSH agent and make the key available for use on the new computer and you will be able to connect to servers immediately. This works great for short visits, but it won’t last forever – you’ll need to run ssh-add again if you reboot the computer, for example. To import the key permanently, instead run:
$ ssh-keygen -K
This will write two files into the current directory. Move the private key file into your SSH directory and add it this identity file to the ssh config: https://linuxize.com/post/using-the-ssh-config-file
You need to place the contents of your public key into the ~/.ssh/authorized_keys file on your server:
$ ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@server
OR:
-
manually get the contents of your public key:
$ cat ~/.ssh/id_ed25519_sk.pub -
log into your server and open the authorized_keys file:
$ nano ~/.ssh/authorized_keys -
paste the public key line into the file, save and exit.
Finally disable the password based login on your server. First add yourself to sudoers files, otherwise, you will not able to login as root later on. Then check that you can login to the server using new keys.
If so, edit /etc/ssh/sshd_config file:
ChallengeResponseAuthentication no
PermitRootLogin no
Save, exit and restart ssh service:
$ systemctl restart ssh
You can now either use the key directly temporary with IdentityFile switch -i:
$ ssh -i ~/.ssh/id_ed25519_sk user@server
Or load it into your SSH agent for a whole session:
$ ssh-add ~/.ssh/id_ed25519_sk
After this you can login in to SSH in the regular way:
$ ssh user@server
Before you can log into the remote system your Yubikey will start to flash its LED prompting you to tap it. After you tap your key you will be able to log in.
Don't forget to secure your sensitive online services like Google, Dropbox, Slack, LastPass or Bitwarden password managers with your new security keys too!
https://github.com/FiloSottile/yubikey-agent
If your server doesnt support newer OpenSSH versions or you have problems setuping it in native way, you can use yubikey-agent as alternative: it is a seamless ssh-agent for YubiKeys.
- Easy to use. A one-command setup, one environment variable, and it just runs in the background.
- Indestructible. Tolerates unplugging, sleep, and suspend. Never needs restarting.
- Compatible. Provides a public key that works with all services and servers.
- Secure. The key is generated on the YubiKey and can't be extracted. Every session requires the PIN, every login requires a touch. Setup takes care of PUK and management key.
Just setup it via Windows subsystem for Linux (WSL 2).
You can also use it directly in Windows with PGP encryption via PuTTY. You can find instructions here: https://worklifenotes.com/2019/07/05/yubikey-for-ssh-on-windows-complete-walkthrough
Some services which doest support security keys, allow 2FA with an Time-based One-Time Passwords (TOTP) codes instead. Typically they are used with apps like Google Authenticator, LastPass Authenticator or Authy. You can use your key with official Yubico Authenticator app to replace them and securely store your credentials on a YubiKey opposed to your mobile phone, so that your secrets cannot be compromised.