UPDATE (Februar 2020)
The info on this page is now here for historical reasons only. As of openSSH 8.1 the support for U2F/FIDO has been available in the official openSSH packages.
See the OpenSSH release note for more info: https://www.openssh.com/txt/release-8.2
The other day I saw some great news on the email list for the openSSH project. It was announced that preliminary support for U2F/FIDO2 had been added to the source repository.
If you are like me, you would probably like to test it early. I use mostly Ubuntu Linux so this is where I would like this to work.
To get it to work in Ubuntu (and probably most other Linux distros) you have to follow these steps:
- Clone the openssh-portable repository: git clone https://github.com/openssh/openssh-portable
- Build the binary (instructions also in README.md):
- cd openssh-portable
- make && make tests
- install into ~/.local/
- Clone the libfido2 branch: git clone https://github.com/Yubico/libfido2
- Build the library
- rm -rf build && mkdir build && cd build && cmake .. && cd –
- make -C build
- sudo make -C build install
- Generate a key (remember to have your security key inserted):
- export SSH_SK_PROVIDER=/usr/local/lib/libsk-libfido2.so #or other location where it is installed)
- ssh-keygen -t ecdsa-sk # sk in the name means “security key”
- …you will have to press the button on your security key
- Your key pair will be in ~/.ssh/id_ecdsa_sk and can be used as normal ssh key so id_ecdsa_sk.pub can be copied to your servers authorized_keys file
- follow steps 1-4 on the server as well (this is a new key-type so both sides needs to support it) .
That should basically be it. It took me a bit of time to get the dependencies for building libfido2 in my setup, but eventually I got them all in (everything is available in apt so should be fairly easy if you – unlike me – reads the readme with the list of dependencies).
Let me know how it works for you. Hopefully we will get this into the official release of libfido2 and openSSH soon.