Yubikey devices for SSH

With a growing need for proper two factor authentication methods for web services many turn to applications such as Authy, Google Authenticator or the OTP module of their prefered passwords and secrets managers.

Yet, another solution exist : the use of physical keys such as the ones from Yubikey. Those devices support one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance.

Let's see an example of what can be done to use such a key for SSH and also, GPG.

Just the SSH setup

While some of us might want to use GPG (you should, we will come to that) some might just want to use a yubikey to boost security on their SSH setup.

There is a new type of SSH key that allows you to directly use a Yubikey thanks to an improved support of FIDO/U2F in OpenSSH release 8.2.

Digging into GPG & SSH setup with Yubikey products we found a nice, simple and short article describing such a use.

In even shorter :

• plug your yubikey
• run ssh-keygen -t ed25519-sk
• profit

This should work with recent Yubikey products

As you might see in the following, this method is way simpler than the other way and will still add a nice layer of protection. This method will make it required for you to tap on your Yubikey device to use the ssh key.

This also sticks to the standard way to run an ssh-agent and it will work great with most setups.

If you are in a hurry or don't want to mess with your ssh and gpg setup this is definitely a good approach.

The full thing

Now, with the increased support of FIDO/U2F devices in git hosting services you might also want to rely on a Yubikey device to authenticate yourself there and use the same key to store the keys to use to sign your commits and push code through GIT+SSH.

There is a great, long, writeup on this topic on Github. It's probably better to read it once before actually rushing through as a few steps might take you quite a bit of time.

The tutorial covers everything one needs to know about setting up, using, managing yubikeys for different use cases and in different contexts (OS).

To go through it you will need :

• a GNU/Linux, BSD, Mac or Windows machine
• a yubikey device (at least one, possibly 2 so you have a backup)
• a usb stick or something similar you can plug on your machine (if you have any 1, 4 or 8 GB cards and sticks in a drawer now might be a good time to use them, this will serve as storage for an encrypted backup of the master key)

In short the tutorial covers :

1. Setting up a secure, trustable, computer
2. Creating master and sub keys in temporary folders
3. Adding extra identities
4. Generating the revocation certificate
5. Backing up to an encrypted volume
6. Exporting public keys locally and to a server
7. Configuring the smartcard
8. Cleaning up
9. Uses including rotating keys, signing, encrypting, renewing the sub keys, SSH case

Note : I don't link directly to those points as the tutorial is quite dense and it's better not to jump around too much if you don't know exactly what you are doing.

Epilogue

Moving to 2 factor authentication is an important step for users in general, it's not a luxury anymore and it's clearly become a required step for all of us.

The use of physical tokens has now become easier and is cheap enough for most to consider it and for companies to invest in devices such as Yubikey ones.

If you are only interested in adding the physical key requirement to your SSH setup then the first article is probably enough.

Yet, as pointed out, the use of FIDO/U2F devices can improve security for several use cases (service auth, gpg signatures, ssh keys) in one go. In our opinion that should be considered.