Reputation: 4584
Is there a method to use FIDO2/webauthn with ssh
As the title says.
We use ssh to connect to many sites and would like to move to use FIDO2/webauthn for authentication.
Is this possible? What tools do we need?
We are using ubuntu as the client and server.
Upvotes: 2
Views: 1719
Answers (2)
Reputation: 176
You can also leverage webauthn for ssh authentication from your browser.
If you are interested i can recommend my ssheasy project on github https://github.com/hullarb/ssheasy This is a webassembly based ssh client running in the browser and this way it can make use of Web Authentication API.
On the server side you only need a fairly recent version of OpenSSH server V8.4 or greater and enabling the [email protected] public key algorithm in its config as described here.
Upvotes: 0
Reputation: 3426
You can achieve FIDO2-like multi-factor authentication when ssh'ing into a server if you combine a FIDO2-compatible security key with ecdsa-sk keys. The trick is to generate a new keypair with the ecdsa-sk (the "sk" is for "security key") and the flag that requires you to enter the security key's PIN as well:
$> ssh-keygen -t ecdsa-sk -C <email address> -O verify-required
Enter your security key's PIN when prompted, then skip the prompt to password-protect the keypair (the security key and its PIN will protect its use instead). Finally, specify the absolute file path to save the keypair to.
You'll end up with a private key and public key as you'd expect. Add the .pub file to https://github.com/settings/keys as an authentication key, then update ~/.ssh/config to tell it to use the corresponding private key:
Host github.com
IgnoreUnknown UseKeychain
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/name-you-gave-keypair-here
To test that everything is working fine, you can attempt to ssh into GitHub:
$> ssh -T [email protected]
You should see something like this:
Hi UsernameHere! You've successfully authenticated, but GitHub does not provide shell access.
And there you have it - security key-backed multi-factor authentication for your SSH connections.
One last thing, you'll need to be using at least OpenSSH 8.2 on both server and client side as it's the earliest version that support ecdsa-sk keypairs.
Upvotes: 3
Related Questions
- Nginx no-www to www and www to no-www
- How to specify the private SSH-key to use when executing shell command on Git?
- How to use SSH to run a local shell script on a remote machine?
- SSH Key - Still asking for password and passphrase
- SSH Key: “Permissions 0644 for 'id_rsa.pub' are too open.” on mac
- Git error: "Host Key Verification Failed" when connecting to remote repository
- mysql_config not found when installing mysqldb python interface
- Is it possible to specify a different ssh port when using rsync?