SSH, also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer. SSH also refers to the suite of utilities that implement the protocol. Secure Shell provides strong authentication and secure encrypted data communications between two computers connecting over an insecure network. SSH is widely used by network administrators for managing systems and applications remotely, allowing them to log in to another computer over a network, execute commands and move files from one computer to another.
Add a FIDO2 Security key by clicking Add method and choosing Security key. Choose USB device or NFC device. Have your key ready and choose Next. A box will appear and ask the user to create/enter a PIN for your security key, then perform the required gesture for the key, either biometric or touch. OpenSSH with Trezor via FIDO2 You need to have libfido2 (version 1.3.0 or above) and OpenSSH (version 8.2 or above) installed on your client. OpenSSH needs to be compiled with the -with-security-key-builtin option enabled. For the server, you just need to have OpenSSH (version 8.2 or above) installed.
SSH with Trezor[edit]
OpenSSH with Trezor via FIDO2[edit]
You need to have libfido2 (version 1.3.0 or above) and OpenSSH (version 8.2 or above) installed on your client. OpenSSH needs to be compiled with the --with-security-key-builtin option enabled. For the server, you just need to have OpenSSH (version 8.2 or above) installed.
It might take some time until these versions are packaged in your Linux distribution, but this will happen eventually. Some distributions such as Fedora, NixOS, and Debian have this functionality already in their pipeline.
Once you have everything set up properly you can issue the following command to generate a key pair backed by your hardware token (“ecdsa” stands for “elliptic curve digital signature algorithm” and “sk” stands for “security key”):
ssh-keygen -t ecdsa-sk
If you are using Trezor Model T, you should see a screen like this:
As you can see from the photo, FIDO2 relying party ID is set to ssh: and FIDO2 user ID is set to openssh.
In case you want to use a different key for every server, you can modify the FIDO2 relying party ID via the -O application flag:
ssh-keygen -t ecdsa-sk -O application=ssh:[email protected]
Once you confirm this screen, two files will be created: ~/.ssh/id_ecdsa_sk and ~/.ssh/id_ecdsa_sk.pub. The contents of the .pub file can be added to ~/.ssh/authorized_keys on the server just like you are used to. Once you do this, the OpenSSH will take care of the rest and next time you’ll try to login to that server, you’ll be prompted with the FIDO2 dialog on your device.
While following the instructions above, you might have noticed the ~/.ssh/id_ecdsa_sk file was generated in the process. This file does not contain a private key (like it usually does for other key methods), but it contains a FIDO2 credential required to reconstruct the private key inside of the hardware token. You need to keep this file on your client if you want to be able to log in from this machine.
OpenSSH with Trezor via trezor-agent[edit]
It is also possible to use the Trezor device with an SSH agent. See Apps:SSH agent.
See also NIST256P1, Ed25519
Sources:
- https://it.umn.edu/secure-shell-ssh
Openssh Fido2 How To