This guide explains how to set up YubiKey SSH Certificate Authentication to enhance server security. A YubiKey stores your SSH keys securely, ensuring private keys never leave the device, and it simplifies authentication. By following this YubiKey SSH Certificate Setup, you’ll learn to generate SSH keys, configure your server, and disable password-based logins for maximum security.
Why Choose YubiKey for SSH Authentication?
A YubiKey provides a hardware-based layer of protection, ensuring secure SSH authentication. With the ability to store SSH certificates directly on the YubiKey, it eliminates the risk of key theft or unauthorized use.
Advantages of YubiKey for SSH:
- Hardware Security: Private keys remain securely stored on the YubiKey.
- Ease of Use: Reduces the need to manage key files manually.
- Enhanced Authentication: SSH certificates allow finer control over access, including expiration dates and permissions.
Protect your accounts with the YubiKey 5 NFC! Featuring USB-A and NFC compatibility, it delivers robust two-factor authentication and FIDO2 security for unmatched peace of mind.
Step-by-Step YubiKey SSH Certificate Setup
Important Note: SSH FIDO2 Support on Debian Bookworm
Currently, Debian Bookworm does not include native support for FIDO2 in its default SSH implementation. To use FIDO2-based SSH authentication on this distribution, you need to manually compile OpenSSH with FIDO2 support enabled.
This guide has been tested and verified on Ubuntu 24.04, which includes native FIDO2 support in its default OpenSSH package. If you’re using Debian Bookworm, consider either compiling OpenSSH from source or using a compatible distribution like Ubuntu 24.04 for seamless FIDO2 functionality.
For Debian users interested in compiling OpenSSH with FIDO2 support, refer to the OpenSSH build documentation.
Step 1: Prerequisites
- YubiKey with firmware version 5.5.1 or higher.
- Install required tools:
sudo apt install fido-tools gnupg2 - Ensure you have SSH access to your server.
Step 2: Generate an SSH Key on Your YubiKey
- Create an SSH Key Pair:
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk -O resident-t ecdsa-sk: Specifies using the YubiKey’s FIDO2 functionality.-f ~/.ssh/id_ecdsa_sk: Saves the key in the.sshdirectory.-O resident: Ensures the private key is stored securely on the YubiKey.
The public key will be saved as~/.ssh/id_ecdsa_sk.pub.
Step 3: Obtain and Store an SSH Certificate (Optional if Provided by a Certificate Authority)
- Request an SSH Certificate: Send the public key to a Certificate Authority (CA) to sign it:
scp ~/.ssh/id_ecdsa_sk.pub user@ca-server:/path/to/keys/ - Receive the Signed Certificate: After signing, the CA will return a certificate file (e.g.,
id_ecdsa_sk-cert.pub). - Store the Certificate on the YubiKey: Use the
fido2-tokentool to save the certificate as a “largeBlob” on the YubiKey:fido2-token -S -b -n ssh:demo id_ecdsa_sk-cert.pub /dev/hidraw0 - Replace
/dev/hidraw0with the correct device path for your YubiKey.
Step 4: Configure SSH Authentication on the Server
- Copy the Public Key or Certificate: Use the following command:bashCode kopieren
ssh-copy-id -i ~/.ssh/id_ecdsa_sk user@your-server - Edit
sshd_config: Open the SSH server configuration file:sudo nano /etc/ssh/sshd_config - Set the following options:
PubkeyAuthentication yesPasswordAuthentication noChallengeResponseAuthentication no - Save and restart the SSH service:
sudo systemctl restart sshd
Step 5: Verify the YubiKey SSH Login
- Test logging in with your YubiKey:
ssh user@your-server - If successful, you’ll be prompted to touch your YubiKey to complete authentication.
Best Practices for YubiKey SSH Authentication
- Enable FIDO2 Support: Ensure your YubiKey supports “largeBlobs”
fido2-token -I /dev/hidraw0 | grep options - Backup Your Public Key: Store your SSH public key in a secure location for future use.
- Use a Backup YubiKey: Configure a secondary YubiKey to avoid lockout situations.
- Monitor Logs: Regularly check
/var/log/auth.logfor unauthorized access attempts.
Conclusion
By following this YubiKey SSH Certificate Setup, you’ve implemented a secure and efficient authentication method for your server. The YubiKey’s hardware-backed security ensures private keys are protected, and disabling password-based logins enhances overall security. This setup provides peace of mind for administrators managing sensitive systems.
Secure your digital life with the YubiKey 5C NFC! This top-tier security key offers seamless two-factor authentication and FIDO2 support via USB-C and NFC, ensuring ultimate protection for your online accounts and servers.
