Enabling SSH U2F authentication.
After some research online I've found a patch to the OpenSSH server that enables U2F authentication.
However there are 2 major caveats that would stop me from using this in a production environment:
- Security - the patch for OpenSSH has not yet been accepted/merged and currently works on an older version of OpenSSH
- Currently doesn't work on Mac OS, though maybe possible once Homebrew/legacy-homebrew#43676 is resolved
If anyones interested in trying it out here's how I set it up:
- Download and install:
- VirtualBox
- VirtualBox Extension Pack
- Ubuntu Desktop (at the time of writing I used
15.04)
- In VirtualBox create a new machine, but before starting it make sure that the USB Controller has been enabled for USB 2.0 or USB 3.0 and that the machine has enough RAM and video memory to operate. Enable the second network adapter and connect to your current network. Then attach the Ubuntu install ISO to it's virtual CD drive
- Start the VM and follow the Ubuntu install, once at the Ubuntu desktop in VirtualBox click Devices > Insert Guest Additions CD image and allow the script on the CD to run and install
- Following the guidance to setup Linux for use with U2F: create a:
/etc/udev/rules.d/70-u2f.rulesfile with the following from Yubico/libu2f-host/70-u2f.rules - Run:
sudo apt-get update && sudo apt-get install u2f-host autoconf zlib1g-dev libu2f-host-dev libssl-dev - Download openssh-6.7p1.tar.gz and extract:
tar xzf openssh-6.7p1.tar.gz - From Bug 2319 - [PATCH REVIEW] U2F authentication download the attached Raw Unified Diff (dated 2014-12-25 05:52 EST)
- Apply the patch via:
patch -p1 < your-downloaded-diff-attachment.patch - Build via:
rm configure && autoconf -i && ./configure --with-u2f && make && sudo make install(there might be an error about 'check-config' failed, but that seems to be ok) - Shutdown
- Right click the VM and clone it calling it Ubuntu SSH server and reinitialise the network addresses (I used a linked clone as it's faster and uses less memory)
- Boot up the clone and edit the
/etc/hostnameand/etc/hostsfiles appending-2to the hostname - Add sshd user via:
sudo useradd -U -r -c 'openssh daemon' -d /usr/local/sbin -s /bin/false sshd - Edit
/usr/local/etc/sshd_configadding:
U2FAuthentication yes
AuthenticationMethods password,u2f # or publickey,u2f
- Reboot the SSH server
- Type
ifconfigmaking a note of it's local network IP - Start the ssh daemon via:
sudo /usr/local/sbin/sshd -Dand it'll wait for connections
- Boot the first machine back up
- Connect your U2F key your computer, then attach it to the VM by clicking the USB icon (bottom right) and clicking Yubico Security Key
- Run
ssh -o U2FMode=registration <ip-address-of-your-new-ssh-server>and enter your password, your U2F USB key should be flashing and it'll prompt you to press it - If successful it will output your U2F public key, copy the output (e.g.
ssh-u2f ... my security key)
- Paste this public key into
~/.ssh/authorized_keysand save - Restart the sshd server (e.g.
sudo /usr/local/sbin/sshd -D)
- Run
ssh <ip-address-of-your-new-ssh-server>and enter your password, you'll now be prompted to press your U2F key, then you should be logged in!
Seems to be a good working prototype 👍, thought it would be good to get the patch merged into OpenSSH to avoid having to build and deploy manually or if anyone knows a more stable/secure way of setting this up let me know!
This seems to have support from upstream openssh as of 8.2. (Albeit the implementation/usage is a little bit different.)
https://www.openssh.com/txt/release-8.2