OpenSSH 8.2 included support for Universal Two-Factor (U2F/FIDO) tokens. For the uninitiated, this is an open standard for strong crypto-based challenge/response that was championed by a consortium that includes all the folks you might expect to see there. Note that today’s FIDO is called FIDO2.
Computer Requirements
Windows Client: Windows 10 version 1903 or higher.
Linux Server: OpenSSH v8.2 at least, Ubuntu 20.04 if using Ubuntu.
- In February 2020 OpenSSH added support for FIDO U2F (Universal Second Factor) security keys. This is a great new feature, but there’s a caveat: Because this upgrade introduces new key types for security keys, you’ll only be able to use a security key if both client and server have been upgraded to OpenSSH 8.2+.
- FIDO2 resident keys - FIDO/U2F OpenSSH keys consist of two parts: a 'key handle' part stored in the private key file on disk, and a per-device private key that is unique to each FIDO/U2F token and that cannot be exported from the token hardware.
- OpenSSH U2F/FIDO support in base Contributed by rueda on 2019-11-14 from the more-than-a-token-effort- (basically) dept. Damien Miller (djm@) posted to tech@: Hi, I just committed all the dependencies for OpenSSH security key (U2F) support to base and tweaked OpenSSH to use them directly.
Prerequisites - OpenSSH
Version 8.3+ of OpenSSH is required for FIDO2 authentication to work on Windows. Unfortunately Windows typically uses an older version. As funny as it sounds, the simplest way to get the latest openSSH is to install git for windows.
Prerequisites - OpenSSH SK WinHello
Download the latest winhello.dll from the the OpenSSH SK WinHello project release page.
Copy it inside Git /usr/bin folder (C:Program FilesGitusrbin by default, or C:Users<<your_profile»AppDataLocalProgramsGitusrbin).
Creating your Credential
Launch Git Bash, then type ssh-keygen -w winhello.dll -t ecdsa-sk -f id_ecdsa_sk -O user=<<credential_identifier>>
. Approve the request on your device.
In the same git Bash window, start the ssh agent by typing eval `ssh-agent -P /usr/bin/winhello.dll`
Add the key to the agent by typing ssh-add -S /usr/bin/winhello.dll
For information, two files are created when creating your credential:
FIDO/U2F OpenSSH keys consist of two parts: a “key handle” part stored in the private key file on disk, and a per-device private key that is unique to each FIDO/U2F token and that cannot be exported from the token hardware. Adobe acrobat 9 mac download free. These are combined by the hardware at authentication time to derive the real key that is used to sign authentication challenges.
Adding the public key to your server
Only if you don’t have any public keys setup on your server, an easy way to send your public keys to your server is to type scp id_ecdsa_sk.pub <<your_user_name>>@<<your_server_hostname_or_ip>>:~/.ssh/authorized_keys
on the same git Bash window.
Openssh 8.2 Fido U2f
Login into your server with your Mini BLE
Create a config
file inside .ssh by typing vi ~/.ssh/config
. In it, enter the following contents:
then simply login into your server by typing ssh <<your_server_hostname_or_ip>>
Automatically starting ssh agent & adding key
In the bash, vi ~/.profile
and add the following contents:
A failed approach using Windows WSL2
WSL does not support USB devices connection out of the box. This is left here for reference in case this changes in the future.
Please install the Windows Subsystem for Linux Installation Guide for Windows 10 to be able to use the latest openssh. An alternative installation guide can be found here.
In case you get “Error: 0x1bc”, follow https://github.com/microsoft/WSL/issues/5651#issuecomment-663879171
If you don’t want to use the Windows store to install Ubuntu, follow these steps:
- Download ubuntu-20.04-server-cloudimg-amd64-wsl.rootfs.tar.gz on https://cloud-images.ubuntu.com/releases/focal/release/
mkdir Ubuntu_2004
wsl --import Ubuntu-20.04 Ubuntu_2004 ubuntu-20.04-server-cloudimg-amd64-wsl.rootfs.tar.gz
wsl --list
(Ubuntu-20.04 appears in the list)wsl -d Ubuntu-20.04
(logged root)adduser <my_name>
usermod -aG sudo <my_name>
exit
wsl -d Ubuntu-20.04 -u <my_name>
(logged) cd
You can then create a Windows shortcut targeting C:WINDOWSsystem32cmd.exe /C “wsl -d Ubuntu-20.04 -u
U2F is (yet another) 2/multi factor standard. Hopefully this time this one will stick. Yubikey have a nice explanation of how this works
Specifications are available at http://fidoalliance.org/specifications/download/Google has added support for the U2F keys already and now @zekjur has a patch against OpenSSH6.7p1 to add support for U2F.
There’s a bug entry up at https://bugzilla.mindrot.org/show_bug.cgi?id=2319 for this.NOTE: This code hasn’t been peer reviewed AFAIK and i’m not sure about how they’re using the appid/origin part of the U2F specs here.
Unfortunately there seems to be an issue with U2F AND PAM support, so we’ll build OpenSSH without PAM support and run it along side the current install.
So here’s how we build this sucker on a debian/ubuntu based box:First we need some build dependancies. The ubuntu packages you’ll need are: libtool gtk-doc-tools pkg-config libjson0-dev libhidapi-hidraw0 libjson0-dev libhidapi-dev autoconf zlib1g-dev gengetopt help2man libssl-dev build-essential
We’ll need libu2f-host, which will give us the U2F USB host support we need on the client side. Obviously we’ll need the client to support this as well, so you’ll have to build this locally as well. For win64 users, have some cygwin64 built binaries (Although, the key registration seems to be broken with this binary, whoops)
Grab the master branch of libu2f-host from: https://github.com/Yubico/libu2f-host and build with make ; sudo make install
Next grab the openssh6.7p1 source (Don’t forget to verify the source.) and apply the patch attached to the bug at https://bugzilla.mindrot.org/show_bug.cgi?id=2319 (You want the diff/raw unifed links.)Copy the patch to the openssh-6.7p1 directory and patch with patch -p1 <patchfilename
. It should patch without any errors.
After patching, run rm configure
to get rid of the pre-u2f patch configure file and then run autoconf -i
to rebuild it.Run the configure script with ./configure --with-u2f
(and with any other options you want/need, remembering that with the current patch, PAM may be broken)Run make ; sudo make install
. By default this will install to /usr/local/ so be careful if you’re already running your sshd from there.
If we’re not replacing our normal sshd, edit /usr/local/etc/ssh/sshd_config and change the Port option to whatever port you’d like.Also add:U2FAuthentication yesAuthenticationMethods password,u2f
to the sshd_config file. (Replacing “password” with “publickey,password” or whatever you currently use. This will still look for publickeys in ~/.ssh/authorized_keys but it WON’T use any PAM auth methods)Tweak the config however else you’d like.
Fire up the new sshd with /usr/local/sbin/sshd
, then on the client side plug in your U2F key (after you’ve built the client with U2F support, as above) and run ssh -o U2FMode=registration my.server.example -p newport > /tmp/u2f-key.pub
Openssh U2f
Login with your usual credentials and touch the U2F key when prompted. It will error out with a “Permission denied” and dump the registration info into /tmp/u2f-key.pub. The contents of this file need to go into the users ~/.ssh/authorized_keys file on the server.
Openssh U2f
Once you’ve done then, you should be able to ssh to the new sshd port with your password/publickey and it will ask you to touch your U2F security key when appropriate. Do so and it should log you in. Yay!