And the maybe best part: that works on old U2F-only keys as well as new FIDO2 security keys. Note that the private key ~/.ssh/id_ecdsa_sk is encrypted by the Yubikey, so this is a complete 2-factor authentication here, plus it checks for the user presence. ssh/id_ecdsa_sk t621.lanĬonfirm user presence for key ECDSA-SK SHA256:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8 Once the public key part is added on the target system in its ~/.ssh/authorized_keys file, you can connect to it like this: ❯ ssh -i. SHA256:2xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8 key's randomart image is: Your public key has been saved in /home/harald/.ssh/id_ecdsa_sk.pub Your identification has been saved in /home/harald/.ssh/id_ecdsa_sk You may need to touch your authenticator (again) to authorize key generation.Įnter file in which to save the key (/home/harald/.ssh/id_ecdsa_sk):Įnter passphrase (empty for no passphrase): You may need to touch your authenticator to authorize key generation. Generating public/private ecdsa-sk key pair. More important is that those keys are supported by GitHub since May 2021 and GitLab 14.8+ since March 2022. Similar to using a SmartCard, but much easier. Yubikey to the rescue! Or maybe OpenSSH in this case: As this explains, most Yubikeys, including the cheap blue ones which can only do U2F or FIDO2, can work with OpenSSH 8.2 to provide the private key without storing the secret key unencrypted on disk.
But the setup procedure is quite involved and you need gpg. You can also use an actual SmartCard if you have one. About a year ago I found out that the Yubikey Neo can be used as a SmartCard which can keep a secret key on-board.
0 kommentar(er)
