U2F SSH key generation and installation guide
September 22, 2022 ยท View on GitHub
U2F SSH key generation and installation guide
install U2F libraries on client machine
sudo apt-get install pamu2fcfg libpam-u2f
Currently, there are only two ciphers that support
'special keys' or (sk) this is the notation in the
output of the 'ssh-keygen --help' command.
The flipper only seems to support ecdsa-sk keys.
First, plug in your flipper, launch the U2F extension
and verify it's connected.
lsusb | grep U2F
the output should look a little like this:
Bus 00x Device 00x: ID xxxx:xxxx STMicroelectronics U2F Token
To generate U2F-key pair ecdsa-sk id file:
ssh-keygen -t ecdsa-sk -f
once the command executes, ssh-keygen will hang until you
touch the center button of the flipper to register the key.
the command output will look like this:
You may need to touch your authenticator to authorize key generation.
once you tap the flipper, ssh-keygen will prompt for an x509 password
for the key, this is optional. After this, the key should be generated
to the output file specified in the parameter in ssh-keygen found above.
to enable pubkey authentication, you must first login to the server via ssh
or login to it physically.
ssh
Once the key has been generated, enable pubkey authentication on the server
this is done by uncommenting a this line in /etc/ssh/sshd_config on the server:
sudo vi /etc/ssh/sshd_config
or if you like nano ;)
sudo nano /etc/ssh/sshd_config
uncomment this line in that file:
#PubkeyAuthentication yes
create ~/.ssh inside of a desired users home directory on the server.
mkdir ~/.ssh; touch ~/.ssh/authorized_keys
reset the ssh daemon on the server and go back to your host
service sshd restart; exit
on your local host, register the generated ssh key using this command:
ssh-copy-id -i id_ecdsa_sk.pub
Then sign in with PAM, after this you are free to
login to your host with:
ssh -i id_ecdsa_sk