OpenSSH with FIDO2 and Trezor

From Linux Delta
Revision as of 23:16, 25 February 2020 by Chris (talk | contribs)
Jump to: navigation, search

OpenSSH with FIDO2 and Trezor


First, you need to have libfido2 (version 1.3.0 or above) and OpenSSH (version 8.2 or above) installed on your client. OpenSSH needs to be compiled with the --with-security-key-builtin option enabled. For the server, you just need to have OpenSSH (version 8.2 or above) installed. It might take some time until these versions are packaged in your Linux distribution, but this will happen eventually. Some distributions such as Fedora, NixOS, and Debian have this functionality already in their pipeline.

First generate your keys

ssh-keygen -t ecdsa-sk

If you want to use a different key for every server, add the -O application flag:

ssh-keygen -t ecdsa-sk -O

Two files will have been created: ~/.ssh/id_ecdsa_sk and ~/.ssh/ The contents of the .pub can be added to your servers under ~/.ssh/authorized_keys