SSH with Yubikey
05-04-2023
This guide explains how to authenticate over SSH using Yubikeys.
Language or Platform: Other
Code:
OpenSSH Setup
--------------
The correct version of OpenSSH will need to be installed on the client and server machine.
Check OpenSSH version:
ssh -V
I recommend upgrading Ubuntu 18.04 to new versions before attempting this.
I've had to completely purge and delete older OpenSSH binaries/files to get this to work on older machines.
Upgrade OpenSSH for Ubuntu 20.04 & 22.04
sudo apt update
Install libfido2 (https://developers.yubico.com/libfido2/)
Ubuntu 20.04 & 22.04:
sudo apt install libfido2-1 libfido2-dev libfido2-doc fido2-tools
Fedora 34 & 35
sudo dnf install libfido2 libfido2-devel fido2-tools
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz
tar -xzf openssh-9.1p1.tar.gz
cd openssh-9.1p1/
sudo apt install libpam0g-dev libselinux1-dev libkrb5-dev
./configure --with-kerberos5 --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh --prefix=/usr --with-security-key-builtin
make
sudo make install
Reboot
Yubikey Setup
--------------
On the client machine that contains a Yubikey, run the following command:
ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/yubikey
You will be prompted to tap the Yubikey and keys will be generated. Move the public key to the server.
Save the private key.
To SSH into the server using the Yubikey, set "PasswordAuthentication no" on the server's /etc/ssh/sshd_config. Restart SSH service.
From client machine, add the private key to the .ssh folder.
I've also read that you do not have to do this. You can add your private key to the SSH agent just by running the following command on the client machine with a Yubikey:
ssh-add -K
To get your public key from the SSH agent, run:
ssh-add -L
NOTE The above 2 commands can only be done with resident keys.