I'm really excited to see more and more people talk about FIDO2. If you're interested about this topic, I gave a talk about it yesterday: <a href="https://news.ycombinator.com/item?id=23689606" rel="nofollow">https://news.ycombinator.com/item?id=23689606</a>
EDIT: I misunderstood the post, and what I describe below is not true!<p>I'm incredibly excited about FIDO2, but this is quite underwhelming honestly. I'd like to SSH with a credential on my Yubikey, not by a credential or configuration <i>already stored on my computer</i> that is unlocked by my Yubikey. I'd like to be able to plug in my Yubikey anywhere and go. My Linux desktop, my Macbook, my Windows desktop, my Android phone.<p>- Yubikey with GPG/PIV for SSH: your Yubikey stores your private key. You can take it anywhere, plug it in, [have to go through all the setup required for your computer to talk GPG/PIV], and log in.<p>- Yubikey with FIDO2 for SSH: your Yubikey stores a symmetric key to unlock your private key on your computer. [You <i>cannot</i> take it anywhere], plug it in, don't have to set anything up if your client and server have this (eventually), and log in.<p>FIDO2 is solving a lot of authentication convenience problems, but not this one I think. I get that this pretty nice when integrating with Windows Hello or Apple's TouchID, but I don't think FIDO2 USB key with SSH is that great.
I managed to make this work today as described in the article, after installing and configuring the software dependencies.<p>Client-side hardware dependencies:<p>* USB token with U2F (FIDO) support. FIDO2 is optional. Any old YubiKey or similar will work.<p>* For the resident key feature only: USB token with FIDO2 support.<p>* To avoid confusion, only a single USB token should be connected when ssh-keygen is run. (When ssh is run, multiple USB tokens work, the user can touch the wrong one many times, and authentication succeeds after the user touches the right one.)<p>* ED25519 support in the token is optional. (`ssh-keygen -t ecdsa-sk ...' uses the NIST P-256 curve, which works with all U2F tokens.)<p>Client-side software dependencies:<p>* For communicating with the token over USB, OpenBSD or (Linux with udev).<p>* OpenSSH 8.2p1 or later.<p>* OpenSSH client (ssh) compiled with `configure --with-security-key-builtin'. Without this, eventually authentication will fail locally with `internal security key support not enabled'. It's possible to work around this by compiling an .so file and specifying it with `ssh -o SecurityKeyProvider=....so', but it's complicated.<p>Server-side software dependencies:<p>* OpenSSH 8.2p1 or later.<p>* Default OpenSSH server (sshd) settings (without PubkeyAcceptedKeyTypes), or PubkeyAcceptedKeyTypes in /etc/ssh/sshd_config containing sk-ecdsa-sha2-nistp256@openssh.com and (optionally, for ed25519-sk keys) sk-ssh-ed25519@openssh.com .
I was able to get this going, but it took awhile as I use a non-standard working mode.<p>All of the docs I have read assume that you are logged in locally on the system, but if you are not (like me) then things fall apart.<p>I am running a Windows 10 desktop, and then SSH into my local Linux box from Windows. Both systems are sitting next to me and I can press the Yubikey easily.<p>My local Linux system is running Fedora 32 and I did the following to enable a user connected via SSH to use the Yubikey.<p>Created a user group for yubikey users, which in reality only has me in it.<p>Created a /etc/polkit-1/rules.d/99-pcsc-yubikey.rules file which gives smartcard access to the 'yubikey' group. Without this then 'ykman list' would not work.<p>Created a /etc/udev/rules.d/99-yubikey.rules to give access to the 'yubikey' group. I used /lib/udev/rules.d/69-yubikey.rules as the starting point for my file. I had to add my two Yubikeys USB IDs (lsusb to see them) as they weren't present.<p>Made sure to log out and back in to have the 'yubikey' group be active for my user. I vaguely remember a command that would do it, but I forgot it.<p>After all of that I got it to work :)
<i>> be extra careful when using SSH forwarding (the -A option), as the server can then ask your computer to authenticate to other servers on your behalf.</i><p>That would require an extra press of the token's button for each extra authentication, right?
I've been using my Yubikey in GnuPG smartcard mode for years to do the same thing, from what I can see from this tutorial FIDO2 seems a bit easier to setup initially but it also seems much less widely supported at the moment. Are there other tradeoffs to consider?
been looking forward to seeing FIDO gain traction for more use cases. i interviewed at a company where there's work being done on a FIDO-enabled smartphone approach:<p><a href="https://www.hypr.com/passwordless-ssh-linux-fido-login/" rel="nofollow">https://www.hypr.com/passwordless-ssh-linux-fido-login/</a>
Be aware literally nothing supports this unless it's your own kernel.<p>Gitlab? No. Github? No. My gateway with a hand built gentoo kernel? Yes.<p>It seems functional, but you've also got to be aware that `ed25519-sk` and `ecdsa-sk` have sort of spotty support in the devices too. `ed25519-sk` does not work on a Yubikey <5, for example.