OpenSSH with FIDO2 and Trezor

From Linux Delta
Revision as of 18:24, 2 July 2020 by KernelPanic (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

OpenSSH with FIDO2 and Trezor

Requirements

First, you need to have libfido2 (version 1.3.0 or above) and OpenSSH (version 8.2 or above) installed on your client. OpenSSH needs to be compiled with the --with-security-key-builtin option enabled. For the server, you just need to have OpenSSH (version 8.2 or above) installed. It might take some time until these versions are packaged in your Linux distribution, but this will happen eventually. Some distributions such as Fedora, NixOS, and Debian have this functionality already in their pipeline.

First generate your keys

ssh-keygen -t ecdsa-sk

If you want to use a different key for every server, add the -O application flag:

ssh-keygen -t ecdsa-sk -O application=ssh:user@example.com

Two files will have been created: ~/.ssh/id_ecdsa_sk and ~/.ssh/id_ecdsa_sk.pub. The contents of the .pub can be added to your servers under ~/.ssh/authorized_keys