UPDATE (Februar 2020)
The info on this page is now here for historical reasons only. As of openSSH 8.1 the support for U2F/FIDO has been available in the official openSSH packages.
See the OpenSSH release note for more info: https://www.openssh.com/txt/release-8.2
The other day I saw some great news on the email list for the openSSH project. It was announced that preliminary support for U2F/FIDO2 had been added to the source repository.
So what this means is, that we will soon be able to use hardware keys like soloKey or Yubico Key to login to SSH sessions. (if you dont know what I am talking about then read here)
Wanna test?
If you are like me, you would probably like to test it early. I use mostly Ubuntu Linux so this is where I would like this to work.
To get it to work in Ubuntu (and probably most other Linux distros) you have to follow these steps:
- Clone the openssh-portable repository: git clone https://github.com/openssh/openssh-portable
- Build the binary (instructions also in README.md):
- cd openssh-portable
- autoreconf
- ./configure
- make && make tests
- install into ~/.local/
- Clone the libfido2 branch: git clone https://github.com/Yubico/libfido2
- Build the library
- rm -rf build && mkdir build && cd build && cmake .. && cd –
- make -C build
- sudo make -C build install
- Generate a key (remember to have your security key inserted):
- export SSH_SK_PROVIDER=/usr/local/lib/libsk-libfido2.so #or other location where it is installed)
- ssh-keygen -t ecdsa-sk # sk in the name means “security key”
- …you will have to press the button on your security key
- Your key pair will be in ~/.ssh/id_ecdsa_sk and can be used as normal ssh key so id_ecdsa_sk.pub can be copied to your servers authorized_keys file
- follow steps 1-4 on the server as well (this is a new key-type so both sides needs to support it) .
That should basically be it. It took me a bit of time to get the dependencies for building libfido2 in my setup, but eventually I got them all in (everything is available in apt so should be fairly easy if you – unlike me – reads the readme with the list of dependencies).
Let me know how it works for you. Hopefully we will get this into the official release of libfido2 and openSSH soon.
Matthias
February 14, 2020 @ 18:25
Thanks for the instructions.
As of 2ba6c6afe in libfido2, the libsk-libfido2.so is gone. It’s supposedly moved to the openssh tree, but I can’t see it there.
My solution was to go back to the versions that were available on November 4, when you posted, i.e.
openssh b236b27
libfido2 96cff7d
Jeff Singleton
February 20, 2020 @ 16:20
There is also a dependency for libcbor and also there is no libsk-libfido2.so file anywhere on my system after following your guide.
Kim Schulz
September 1, 2020 @ 08:36
It seems like it was removed from libfido2 recently. I will try to figure out where it has gone.
Frank Sharkey
July 6, 2020 @ 23:56
The command “install into ~/.local/” does not appear to be a valid Ubuntu command.
Kim Schulz
July 7, 2020 @ 06:42
Not if you literally write that as a command. Else it should works as this is what I use in ubuntu