How to Use a Yubikey with OpenSSH

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back everybody today we are going to be setting up ssh to use a fido usb authenticator namely a yubi key4 as of february 2020 the openbsd team has released openssh version 8.2 which now supports fido and 502 u2f security keys ub keys are hardened security keys that provide one-time pads through a usb interface this means you have to explicitly authorize a new ssh session by tapping the ub key the private ssh key which is normally stored on your hard drive should be useless to a malicious user who does not have access to the physical ubi key on which the second private key is stored this means that even if your ssh keys are stolen an attacker will not be able to access your servers the benefit of using a device like this includes eliminating phishing password theft authentication replays and a lot of other attacks since the the device authenticates to a specific realm such as a server address or url an attacker can't reuse one site's authentication on another site which makes phishing impossible nobody can steal your private key either since it's on the device itself and extracting it is likely impossible the only plausible attack is physical theft with the device which can be mitigated by making the device ask for a pin or fingerprint and wiping itself after a few wrong attempts another benefit of having this built into ssh is that you don't specifically need a uv key or to mess with extra software like ubt agent piv mode or anything else you just plug any fido 2 compatible kian and you can use it with ssh i've tested this with ubt5 ubt4 solo key and they all work the same this sort of setup is ideal for hardened jump boxes that connect to your cloud infrastructure or back-end servers to get this set up the first thing we need to do is make sure both the client and the server is running open ssh 8.2 or higher in order to check this you'll run the ssh hyphen capital v command and you can see what version of open ssh you're running next we need to generate the ssh key pair the ssh key pair can either be the ecdsa hyphen sk or an ed25519 hyphen sk which we see here the sk extension stands for security key note that an ed25519sk key pair is only supported by new versions of yubikey with firmware 5.2.3 or higher we can check this by running this command which i will have in the description and you can see that on the yubi key4 it's version 4.3.7 so in this example we'll be using the ec dsa hyphen sk key which is not recommended because apparently it has an nsa back door so when you do this in real life make sure you use the ede25519 hyphen sk key with that out of the way we can generate our key pair so we're going to do this the traditional way using the ssh key gen command and we're going to use hyphen t for type and it's going to be ec python sk and then i'm going to stick this in my desktop and then now we're going to need to touch the fido key i'm going to skip the passphrase and our key is generated once we've generated the key we need to copy it over to the server so we're going to use the ssh copy id command and then it's going to be the public key that we copy over and then we're going to copy it over to the server we've copied it over and now we're going to test it so we're going to ssh use the identity key so the test key it's going to ask us to touch the key so we're going to press it and we're logged in as you see setting up ssh to work with two-factor authentication using a ub key or any other security key is quite simple but it does have one major security consideration and that's that the secret key is stored on a physical device that can be lost so if you're going to do this make sure you don't lose the key and even better yet set it up with a backup key so you can generate this once with one key and then go through the same process again with the second key and take that second key and store it away in a safe or some place where it won't get lost and remember if you found this video helpful be sure to like and subscribe thank you
Info
Channel: SecureRandom
Views: 3,740
Rating: undefined out of 5
Keywords: Linux, SSH, OpenSSH, Yubikey, FIDO2
Id: QGZz_xb0fCU
Channel Id: undefined
Length: 5min 28sec (328 seconds)
Published: Sun Mar 07 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.