Securing SSH with the YubiKey

Secure Shell (SSH) is often used to access remote systems. It provides a cryptographically secure channel over an unsecured network. SSH uses public-key cryptography to authenticate the remote system and allow it to authenticate the user.

SSH also offers passwordless authentication. In this scenario, a public-private key pair is manually generated. The public key is placed on all remote systems and allows access to the owner of the matching private key. The owner is responsible for keeping the private key secret. Owners can secure private keys with the YubiKey by importing them or, better yet, generating the private key directly on the YubiKey. Private keys cannot be exported or extracted from the YubiKey.

The YubiKey supports various methods to enable hardware-backed SSH authentication.

PIV

The YubiKey stores and manages RSA and Elliptic Curve (EC) asymmetric keys within its PIV module. It will work with SSH clients that can communicate with smart cards through the PKCS#11 interface.

PGP

The YubiKey stores and manages OpenPGP keys within its OpenPGP module. It will work with SSH clients that have integrated with the OpenPGP standard.

FIDO U2F

OpenSSH version 8.2 added support for FIDO U2F hardware authenticators. FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk", along with corresponding certificate types.

ssh-keygen may be used to generate a FIDO token-backed SSH key, after which such keys may be used much like any other key type supported by OpenSSH, provided that the YubiKey is plugged in when the keys are used. YubiKeys require the user to explicitly authorize operations by touching or tapping them.

To generate a FIDO token-backed SSH key, plug in the YubiKey and touch it when prompted.

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your security key to authorize key generation.
Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk
Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub

OTP

Systems administrators can configure two factor authentication for SSH authentication using the YubiKey through the Yubico PAM module.