UPDATE (Februar 2020)

The info on this page is now here for historical reasons only. As of openSSH 8.1 the support for U2F/FIDO has been available in the official openSSH packages.

See the OpenSSH release note for more info: https://www.openssh.com/txt/release-8.2

The other day I saw some great news on the email list for the openSSH project. It was announced that preliminary support for U2F/FIDO2 had been added to the source repository.

So what this means is, that we will soon be able to use hardware keys like soloKey or Yubico Key to login to SSH sessions. (if you dont know what I am talking about then read here)

Wanna test?

If you are like me, you would probably like to test it early. I use mostly Ubuntu Linux so this is where I would like this to work.

To get it to work in Ubuntu (and probably most other Linux distros) you have to follow these steps:

  1. Clone the openssh-portable repository: git clone https://github.com/openssh/openssh-portable
  2. Build the binary (instructions also in README.md):
    • cd openssh-portable
    • autoreconf
    • ./configure
    • make && make tests
    • install into ~/.local/
  3. Clone the libfido2 branch: git clone https://github.com/Yubico/libfido2
  4. Build the library
    • rm -rf build && mkdir build && cd build && cmake .. && cd –
    • make -C build
    • sudo make -C build install
  5. Generate a key (remember to have your security key inserted):
    • export SSH_SK_PROVIDER=/usr/local/lib/libsk-libfido2.so #or other location where it is installed)
    • ssh-keygen -t ecdsa-sk # sk in the name means “security key”
    • …you will have to press the button on your security key
    • Your key pair will be in ~/.ssh/id_ecdsa_sk and can be used as normal ssh key so id_ecdsa_sk.pub can be copied to your servers authorized_keys file
  6. follow steps 1-4 on the server as well (this is a new key-type so both sides needs to support it) .

That should basically be it. It took me a bit of time to get the dependencies for building libfido2 in my setup, but eventually I got them all in (everything is available in apt so should be fairly easy if you – unlike me – reads the readme with the list of dependencies).

Let me know how it works for you. Hopefully we will get this into the official release of libfido2 and openSSH soon.