This article originally appeared on Joshua Powers’ blog
One of the most exciting security enhancements in Ubuntu 20.04 LTS (Focal Fossa) is the ability to use the Fast Identity Online (FIDO) or Universal 2nd Factor (U2F) devices with SSH. By using a second authentication factor via a device, users can add another layer of security to their infrastructure through a stronger and yet still easy to use mechanism for authentication. Ubuntu 20.04 LTS includes this feature out of the box through the latest version of OpenSSH 8.2.
Windows-fido-bridge This repository implements an OpenSSH security key middleware that allows you to use a FIDO/U2F security key (for example, a YubiKey) to SSH into a remote server from a machine running Windows 10 and Windows Subsystem for Linux. The term WebAuthn is sometimes used instead of FIDO2, essentially WebAuthn is the web browser standard and is part of the larger FIDO2 project. OnlyKey works just like any other FIDO2 or FIDO U2F token. The first step to use a security key is to register the key and then once registered you can login to that site with the key. FIDO2 is an extension of FIDO U2F, and offers the same level of high-security based on public key cryptography. FIDO2 offers expanded authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication.
For users, once keys are in place only a tap of the device is required to log in. For administrators looking to use FIDO or U2F on the server side all that is required is a version of OpenSSH server, 8.2 or newer, that supports the new key types.
Yubikey Ssh Fido2
The new public key types and certificates “ecdsa-sk” and “ed25519-sk” support such authentication devices. General handling of private and public key files is unchanged; users can still add a passphrase to the private key. By using a second factor the private SSH key alone is no longer enough to perform authentication. And as a result a compromised private key does not pose a threat.
The following section demonstrates how users can generate new key types and use them to perform authentication. First, users have to attach a device to the system. Next, they need to generate a new key and specify one of the new types. During this process users will get prompted to tap the token to confirm the operation:
Users can then confirm whether the new private and public keys were created:
To use these keys all a user needs to do is copy the keys as they would do normally, using ssh-copy-id . This is done by ensuring the public key is added to ~/.ssh/authorized_keys file on the system they wish to connect to.
To log in to a device using the keys, a user can execute the following command:
The prompt to confirm a user’s presence will appear and wait until the user touches the second factor device.
Ssh Fido2 Login
At the time of writing this post, there is a problem with displaying the prompt when using GNOME. Please refer to the Launchpad bug for more information about the expected fix date.
Download Ubuntu 20.04 LTS (Focal Fossa).
Ubuntu cloud
Ubuntu offers all the training, software infrastructure, tools, services and support you need for your public and private clouds.