OpenSSH with FIDO2 and Trezor


On Valentine’s day, the OpenSSH team prepared a nice present for all of us; the new 8.2 release. This release is important because it brings the first-class support for hardware tokens via the libfido2 library.

We’ve been in touch with OpenSSH developers Damien Miller and Markus Friedl and libfido2 developer Pedro Martelletto and gladly provided them with free Trezor Model T devices to make the development and testing easier.

OpenSSH and Trezor are a perfect match because Trezor Model T is the only FIDO2 hardware token with a display, which allows you to see which identity is being used for authentication. We are really satisfied with the result and appreciate the great job done in this release!

Getting started

First, you need to have libfido2 (version 1.3.0 or above) and OpenSSH (version 8.2 or above) installed on your client. OpenSSH needs to be compiled with the --with-security-key-builtin option enabled. For the server, you just need to have OpenSSH (version 8.2 or above) installed.

It might take some time until these versions are packaged in your Linux distribution, but this will happen eventually. Some distributions such as Fedora, NixOS, and Debian have this functionality already in their pipeline.

Generating keys

Once you have everything set up properly you can issue the following command to generate a key pair backed by your hardware token (“ecdsa” stands for “elliptic curve digital signature algorithm” and “sk” stands for “security key”):

ssh-keygen -t ecdsa-sk

If you are using Trezor Model T, you should see a screen like this:

Trezor Model T creating a key pair for OpenSSH

As you can see from the photo, FIDO2 relying party ID is set to ssh: and FIDO2 user ID is set to openssh.

In case you want to use a different key for every server, you can modify the FIDO2 relying party ID via the -O application flag:

ssh-keygen -t ecdsa-sk -O application=ssh:user@example.com
Trezor Model T creating a key pair for OpenSSH with custom relying party ID

Once you confirm this screen, two files will be created: ~/.ssh/id_ecdsa_sk and ~/.ssh/id_ecdsa_sk.pub. The contents of the .pub file can be added to ~/.ssh/authorized_keys on the server just like you are used to. Once you do this, the OpenSSH will take care of the rest and next time you’ll try to login to that server, you’ll be prompted with the FIDO2 dialog on your device.

While following the instructions above, you might have noticed the ~/.ssh/id_ecdsa_sk file was generated in the process. This file does not contain a private key (like it usually does for other key methods), but it contains a FIDO2 credential required to reconstruct the private key inside of the hardware token. You need to keep this file on your client if you want to be able to log in from this machine.



Source link

Comments (No)

Leave a Reply