Securing SSH with the YubiKey

Secure Shell (SSH) is often used to access remote systems. It provides a cryptographically secure channel over an unsecured network. SSH uses public-key cryptography to authenticate the remote system and allow it to authenticate the user.

SSH also offers passwordless authentication. In this scenario, a public-private key pair is manually generated. The public key is placed on all remote systems and allows access to the owner of the matching private key. The owner is responsible for keeping the private key secret. Owners can secure private keys with the YubiKey by importing them or, better yet, generating the private key directly on the YubiKey. Private keys cannot be exported or extracted from the YubiKey.

The YubiKey supports various methods to enable hardware-backed SSH authentication.

PIV

The YubiKey stores and manages RSA and Elliptic Curve (EC) asymmetric keys within its PIV module. It will work with SSH clients that can communicate with smart cards through the PKCS#11 interface.

Pros:
  • Centralized management of keys

  • Standardized security policies across endpoints

  • Wide Support for PKCS#11

  • Ideal for organizations with an existing PKI deployment

Cons:
  • No chain validation of certificates

  • Each key must be revoked individually

PGP

The YubiKey stores and manages OpenPGP keys within its OpenPGP module. It will work with SSH clients that have integrated with the OpenPGP standard.

Pros:
  • Simple to manage keys on a single locally controlled machine

  • Easy to export and share public Key

  • Ideal for individual users

Cons:
  • No key recovery in event of lost YubiKeys

  • OpenPGP is not widely supported by credential management services

FIDO2

OpenSSH version 8.2p1 added support for FIDO hardware authenticators. FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk", along with corresponding certificate types.

ssh-keygen may be used to generate a FIDO token-backed SSH key, after which such keys may be used much like any other key type supported by OpenSSH, provided that the YubiKey is plugged in when the keys are used. YubiKeys require the user to explicitly authorize operations by touching or tapping them.

The Security Key by Yubico and the YubiKey Bio Keys support authenticating to SSH with FIDO2 credentials.

Pros:
  • Easy to register and use keys quickly

  • Configurations for both public and secured endpoints

  • Does not require a dedicated YubiKey for just SSH authentication; can use the same device with other FIDO2/WebAuthn services

Cons:
  • Not supported on Windows as of the last update to this page

  • Disabled by Apple on the bundled version of OpenSSH in MacOS as of the last update to this page.

  • No credential management support as of the last update to this page

OTP

Systems administrators can configure two factor authentication for SSH authentication using the YubiKey through the Yubico PAM module.

Pros:
  • Legacy solution with support for older versions of SSH.

Cons:
  • Not as secure as an asymmetric key based solution

  • Supporting frameworks approaching end of life in many cases