SSH Login with FIDO2 authentication. Such as YubiKey or SoloKey devices and more. OPenSSH 8.2p1 supports FIDO2 out of the box

Prerequisites

  • Requires OpenSSH_8.2p1 or higher for the Client and Server (out of the box in Ubuntu 20.4 LTS)
  • YubiKey with firmware 5.2.3 or higher
lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice"

Setup

Generate ecdsa-sk key on the client

ssh-keygen -t ecdsa-sk

# Output
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator: [FIDO2-PIN]
Enter file in which to save the key (/home/dev/.ssh/id_ecdsa_sk): 
Enter passphrase (empty for no passphrase): [PASSPHRASE]
Enter same passphrase again: [PASSPHRASE]
Your identification has been saved in /home/dev/.ssh/id_ecdsa_sk
Your public key has been saved in /home/dev/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:WXYZ dev@ubuntu
The key's randomart image is:
+-[ECDSA-SK 256]--+
|   ++.=          |
|     * *         |
|  . = =          |
|   = .           |
|                 |
|                 |
|                 |
|                 |
|                 |
+----[SHA256]-----+
  • Replace [FIDO2-PIN] with the PIN of your FIDO hardware device (e.g. YubiKey)
  • Adding an optional [PASSPHRASE] for the SSH certificate (respective to protect the corresponding private key)

It`s strongly recommended to use a PASSPHRASE. Otherwise everybody who has physical access to the hardware device is capable to login.

Copy the public key to the server

# Client: Copy the public key
cat /home/dev/.ssh/id_ecdsa_sk.pub

# Server 

DigitalOcean Setup

When creating a Droplet (Ubuntu 20.04 (LTS) x64) in DigitalOcean, it’s required to use a “standard” key as SSH key. Such as RSA or ECDSA. DigitaloOcean does not let you enter a ecdsa-sk key.

  • Create the droplet and add your standard SSH key in the Authentication section.
# Create a temporary standard key
ssh-keygen

# Replace "dev" with your username
cat /home/dev/.ssh/id_rsa.pub
  • Copy the output to DigitalOcean “New SSH Key”.
  • Create the Droplet
  • Create the FIDO2 SSH key-pair
ssh-keygen -t ecdsa-sk
cat /home/dev/.ssh/id_ecdsa_sk.pub
  • Login to the created VM/Droplet.
  • Replace the keys
# Remove the current public key 
echo "" > /root/.ssh/authorized_keys

# Add the new ecdsa-sk key
nano /root/.ssh/authorized_keys
# 1. Remove the 

Done and it should work out of the box.

Resources

Original Blog post