Hacker News new | past | comments | ask | show | jobs | submit login

OpenSSH 8.4 added support for FIDO2. It's literally the same commands (with some different parameters) to take into use as a normal keypair. And FIDO2 tokens are becoming quite affordable. To me 2FA with SSH became a solved problem with that.



Could you point to a relevant article explaining that setup please?


This one had quite a lot of background, but also the needed commands: https://www.stavros.io/posts/u2f-fido2-with-ssh/

With a properly set-up token, basically you only need 2 commands:

   ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_mykey_sk
   ssh-add -K
I used a Yubikey and needed also to install 'ykman' to set a PIN for my token, otherwise ssh-add kept failing. Dunno if I omitted something for a proper setup for my token initially, but I don't think that was a problem with OpenSSH in particular.

Apart from the small headache with the PIN, the whole thing was almost magical in its simplicity.


The token must be pin protected to be eligible to resident credentials. I think it is one of the significant differences between FIDO1 and FIDO2. I also think that you can use ed25519-sk with a non pin-protected, but then you won't be able to authenticate if you can't access to the generated key file (if it was deleted or on another machine)


Thanks for the info. Makes complete sense to require a PIN with resident keys, I'm glad. Now I'll need to write the article myself, with this information included :)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: