Steps To Set Up SSH Keys With YubiKey as two-factor authentication (U2F/FIDO2). In today’s digital world, security is paramount, and having strong and secure authentication mechanisms is crucial. One way to enhance security when accessing remote servers is by using SSH keys.
However, with the growing threat of cyberattacks, it is no longer sufficient to rely on password-based authentication. This is where the YubiKey comes in. The YubiKey is a hardware authentication device that provides an extra layer of security for online accounts and servers.
In this article, we will show you how to set up SSH keys with YubiKey as two-factor authentication (U2F/FIDO2) to enhance security when accessing remote servers.
Step 1: Generate an SSH Key
The first step in setting up SSH keys with YubiKey is to generate an SSH key. This key will be used to authenticate with remote servers. Here’s how to generate an SSH key:
- Open a terminal window on your local machine.
- Type the following command: ssh-keygen -t rsa
- You will be prompted to enter a file name for the key. Press Enter to use the default name or enter a new name.
- You will then be prompted to enter a passphrase for the key. It is recommended to use a strong passphrase to enhance security.
Once the key is generated, two files will be created in the ~/.ssh directory: the private key file and the public key file.
Step 2: Set Up YubiKey
The next step is to set up your YubiKey as a second factor authentication method. Follow these steps to set up YubiKey:
- Plug your YubiKey into the USB port of your local machine.
- Open a terminal window and type the following command: ykman fido list
- This command will display the serial number of your YubiKey.
- Type the following command to enable the FIDO U2F app on your YubiKey:
ykman fido u2f enable
Step 3: Add Public Key to Remote Server
The next step is to add the public key to the remote server you wish to access. Here’s how to do it:
- Open a terminal window on your local machine.
- Type the following command to copy the public key to the remote server: ssh-copy-id username@remote-server
- Replace “username” with your username on the remote server and “remote-server” with the hostname or IP address of the remote server.
- You will be prompted to enter the password for the remote server.
Step 4: Configure SSH to Use YubiKey for Authentication
The final step is to configure SSH to use YubiKey for authentication. Here’s how to do it:
- Open the sshd_config file on the remote server: sudo nano /etc/ssh/sshd_config
- Add the following line to the file: AuthenticationMethods publickey,keyboard-interactive
- Save and close the file.
- Open the ssh_config file on your local machine: nano ~/.ssh/config
- Add the following lines to the file:
Host remote-server
IdentityFile ~/.ssh/id_rsa
IdentitiesOnly yes
PreferredAuthentications publickey,keyboard-interactive
- Replace “remote-server” with the hostname or IP address of the remote server.
- Save and close the file.
Conclusion
SSH keys with YubiKey as two-factor authentication (U2F/FIDO2) is a powerful and secure way to access remote servers. By following the steps outlined in this article, you can enhance the security of your SSH connections and protect your data from unauthorized access. Remember, security is paramount, and it’s always better to be safe than sorry.