I was coworking with a friend the other day when he saw my Yubikey and asked me if I was using it to store my servers’ SSH keys.

“Can my YubiKey store SSH keys?”, I thought. And I started researching. Well, turns out it doesn’t work that way, but you can use your YubiKey (or any FIDO U2F device, for that matter) to harden your SSH login.

Here’s what we’re trying to accomplish:

Start showing off your work

Hustl is a macOS app I made that helps you record awesome time-lapse videos of your Mac screen.

Check it out

  1. We try to log in into our machine with SSH
ssh [email protected]

2. The machine asks for YubiKey authentication, even though we have the right SSH private key

ssh [email protected]
> Confirm user presence for key ECDSA-SK SHA256:...

3. You touch your YubiKey

5nfc-touch-2020.jpg

4. You’re in!

ssh [email protected]
> Confirm user presence for key ECDSA-SK SHA256:...
> User presence confirmed

We have effectively added a second factor authentication to our SSH login using our Yubikey’s U2F capabilities.


Why would you do this?

Same reason why you add Second Factor Authentication (2FA) to any password-protected account you own.

If an attacker gains access to your user and password, they’d be unable to log in unless they also have access to your hardware key or OTP device you use for 2FA.

Your SSH private key is kind of like a password. Only that you store it in your hard drive. So anyone who hacks into your computer could access all servers that private key is configured to.

I’ve been tinkering with crypto stuff lately, so my mental model is that storing your SSH private key in your hard drive is kind of like having a hot wallet. Pretty secure most of the time, but you’re done if someone gets access to your computer – which is plausible, since your computer is connected to the internet and the internet is full of bad actors. Adding a multi factor authentication with a Yubikey makes it more like a cold wallet. Part of the secret key is stored in an independent hardware device that’s not connected to the internet and that’s designed not to leak the key.

Adding a Yubikey 2FA to your SSH login is interesting for several reasons:

  • It’s resistant to data leaks / data being stolen. Even if your computer or backups get accessed to, compromising the SSH private keys, attackers can’t access the servers.
  • It’s resistant to phishing attacks. You can’t reveal what you don’t know.
  • It’s resistant to digital hacks. The attacker would need physical access to the key.

The only possible attack would be a targeted attack. Someone would have to single you out, know which servers you access to, what’s the SSH certificate you use to access them, somehow steal that private key AND then get physical access to your Yubikey to gain access of the servers. It’s not impossible, but it’s definitely more secure than not having the Yubikey additional protection in place.

How to configure your Yubikey to protect your SSH login with 2FA

Time needed: 15 minutes.

To create a 2FA-enabled SSH key pair, go through the following steps:

  1. Check that you have OpenSSH 8.2 or higher both on your local machine and on your server

    Versions previous to OpenSSH_8.2 do not support 2FA with hardware security keys like Yubikey. To check what version you’re running, execute:

    ssh -V

    Note for macOS users: your native version of OpenSSH won’t work. You’re gonna need to install OpenSSH via homebrew:

    brew install openssh

    The reason is even though your OpenSSH version is higher than 8.2p1, Apple has specifically compiled OpenSSH with the –disable-security-key flag, making their OpenSSH version unable to interact with Yubikeys. If you try to use the native macOS version of OpenSSH, you’ll get the following error message:

    Key enrollment failed: unknown or unsupported key type

    If your server runs Debian 10 Buster (like mine did, and many AWS Lightsail images), you’re gonna need to upgrade to Debian 11 (Bullseye).

  2. Check ssh-keygen can generate U2F keys

    Run:

    ssh-keygen --help

    and look at the types of keys it can generate. On my system, that’s: [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]

    The ecdsa-sk and ed25519-sk types are the only valid ones for 2FA enabled SSH key pairs. The ‘-sk’ part stands for ‘security key’.

  3. Generate a ecdsa-sk or ed25519-sk SSH key pair using ssh-keygen

    Run:

    ssh-keygen -t ed25519 -f ~/.ssh/securitykey

    It’ll ask you to touch your Yubikey:

    > Generating public/private ed25519-sk key pair.
    > You may need to touch your authenticator to authorize key generation.


    Just touch the metal circle and it’ll bind the SSH key pair to your Yubikey.

    When it says “Enter passphrase (empty for no passphrase)”, you can just press enter to leave it empty.

    This will generate an ed25519 SSH keypair named securitykey under ~/.ssh

  4. Copy your new U2F SSH public key to your server

    If you have password access to your server, you can just run

    ssh-copy-id -i ~/.ssh/securitykey.pub [email protected]

    And enter the login password when it asks you for it.

    If you’re accessing your server with a previous SSH key, you can just ssh into your server and edit the authorized_keys file

    nano ~/.ssh/authorized_keys

    Just append the contents of securitykey.pub to the end of it, save and exit.

  5. Create a backup U2F SSH certificate

    If you lose your Yubikey, you lose access to your servers. That’s why it’s recommended to have several Yubikeys as backup, so that you can still access your services in case you lose the one hardware key you usually carry around with you.

    You can’t add a second Yubikey to the SSH key pair we’ve just created, but you can create another key pair with a different Yubikey. Just repeat steps 3-4 with a different Yubikey, changing the name of the SSH certificate, as in securitykey1 and securitykey2.

And we’re done!

Conclusion

SSH is a secure way of accessing servers. But if your private key gets compromised, an attacker can gain access to your servers.

Adding Second Factor Authentication (2FA) with a hardware security key like Yubikey is a good option to strengthen your SSH setup, because attackers would need to get physical access to your hardware key on top of having your SSH private key.

OpenSSH >= 8.2 adds the capability of creating 2FA-compatible SSH key pairs of type ecdsa-sk and ed25519-sk.

Setting up a few 2FA-enabled SSH key pairs is pretty straightforward and can be done in just a few minutes – saving you lots of headaches in the event your computer is hacked or your private key gets leaked.

Oh, and by the way!

I'm most active on Twitter – follow me to stay in the loop.

You can also join my newsletter, and get cool stuff delivered directly to your inbox.

You'll be the first one to know about my private betas, early releases, and behind-the-scenes stories of an indie entrepreneur! No spam ever, unsubscribe with one single click.

As a quick reminder – I'm rameerez, an indie software developer that's making cool stuff like Hustl or Edit used by people all around the world in 165+ countries, among cool people at companies like Google, Uber or Adobe. My work has been featured in media like Fast Company, Vox, or The Next Web.