Akamai MFA FIDO2 SSH Agent and CLI

June 19, 2026 · View on GitHub

Akamai MFA FIDO2 SSH Agent and CLI

The akr command line utility is an SSH Agent which works with the Akamai MFA authenticator apps for iOS and Android. Akr enables your mobile device to perform SSH authentication using a FIDO2 key generated by the Akamai MFA app.

akr runs as an SSH agent: when you run ssh [user@server], SSH asks the agent for a FIDO2 private key signature operation. This request is routed to a paired mobile phone (running the Akamai MFA app), where the user decides whether to allow the operation or not. If allowed, the phone simply sends the signature back to the agent. Private keys never leaves the phone.

⚠️ akr is currently in early-preview mode! Please contact us with any issues you find or feature suggestions.

Getting Started

First run

  1. First, run akr setup to create configurations and start the agent
  2. Next, pair your device: run akr pair
  3. Scan the QR code with the Akamai MFA app
  4. Run akr generate --name mykey to generate your first SSH key in Akamai MFA. This will output your SSH public key.
  5. Add your public key to a server or github.com
  6. You're all set!

Overview of Commands

Usage:
akr [options] [command] [arguments]

Options:

SyntaxDescription
-V, --versionDisplay the version number for the akr client.
-h, --helpDisplay usage information for akr client.

Commands:

CommandDescriptionExample
setupSetup the background daemon and updates ssh configurationakr setup --ssh-config-path <ssh_config_file_path>
pairPair with your phone/tabletakr pair
generateGenerate a new SSH credentialakr generate --name <ssh_credential_name>
unpairUnpair from your phone/tabletakr unpair
loadLoad public keys from the Akamai MFA app on your phone/tabletakr load
statusGet pairing info from your phone/tabletakr status
checkHealth check of all the dep systems and system configsakr check

Requirements

  • macOS (Apple Silicon, 11+) or Linux (Ubuntu, RHEL, Rocky Linux, or CentOS Stream) on x86_64/amd64 or arm64/aarch64.
  • OpenSSH Client and Server 8.2+
  • pinentry

Installation instructions

Packages are published from akamai/akr-pkg (deb/rpm) and akamai/homebrew-mfa (brew). Both x86_64/amd64 and aarch64/arm64 are supported; apt and dnf install the package matching your host architecture.

macOS (brew)

brew install akamai/mfa/akr
brew install pinentry-mac

Ubuntu

Supported: 22.04, 24.04, 26.04. Replace <VERSION> with 22, 24, or 26.

sudo install -m 0755 -d /etc/apt/keyrings
curl -SsL https://akamai.github.io/akr-pkg/akr-keyring.gpg \
  | sudo gpg --dearmor -o /etc/apt/keyrings/akr.gpg
echo "deb [signed-by=/etc/apt/keyrings/akr.gpg] https://akamai.github.io/akr-pkg/ubuntu/<VERSION> ./" \
  | sudo tee /etc/apt/sources.list.d/akr.list
sudo apt update
sudo apt install akr
sudo apt install pinentry-tty

RHEL / Rocky Linux

Supported: 8, 9, 10. Replace <VERSION> with 8, 9, or 10.

sudo tee /etc/yum.repos.d/akr.repo <<'EOF'
[akr]
name=akr repository
baseurl=https://akamai.github.io/akr-pkg/rhel/<VERSION>/
gpgcheck=1
gpgkey=https://akamai.github.io/akr-pkg/akr-keyring.gpg
enabled=1
EOF
sudo yum -y install akr
sudo yum -y install pinentry-gtk

CentOS Stream

Supported: 9, 10. Replace <VERSION> with 9 or 10.

sudo tee /etc/yum.repos.d/akr.repo <<'EOF'
[akr]
name=akr repository
baseurl=https://akamai.github.io/akr-pkg/centos/<VERSION>/
gpgcheck=1
gpgkey=https://akamai.github.io/akr-pkg/akr-keyring.gpg
enabled=1
EOF
sudo yum -y install akr
sudo yum -y install pinentry-gtk

Build from source

akr is built entirely with Rust. Ensure you have Rust installed (https://rustup.rs) and run cargo build.

Setup VM for testing

To test akr end-to-end, you can setup a local VM with Orbstack (https://orbstack.dev/download). Once Orbstack is installed, you can follow these steps:

  1. Create a Linux machine with the Latest LTS ubuntu image.
  2. Build akr from source with cargo build.
  3. Run ./target/debug/akr setup on your local machine to start the ssh-agent and update your ssh config.
  4. Run ./target/debug/akr pair to scan the QR code and pair your phone with the Akamai MFA app.
  5. Run ./target/debug/akr generate --name testkey to generate a new SSH key in the Akamai MFA app and get the public key output.
  6. Drop your public key into ~/.orbstack/ssh/authorized_keys on your local home directory (not within the VM).
  7. Stop the machine if running quit and restart Orbstack to be able to use the new public key.
  8. Then you can connect to any of the VMs with ssh user@<machine-name>.orb.local.

For more details on OrbStack SSH configuration, see: https://docs.orbstack.dev/machines/ssh#authentication.

Notes on Configuration

Running akr setup updates your SSH config file and installs the akr ssh-agent as a background service on your system. To see what akr configures, run akr setup --print-only.

The SSH config additions looks as follows:

# Begin Akamai MFA SSH Config
Host *
	IdentityAgent /Users/<username>/.akr/akr-ssh-agent.sock
# End Akamai MFA SSH Config

This enables your native system SSH to communicate to the akr ssh-agent process over a unix socket.

Notes

  1. You can also use your existing local RSA, ECDSA, ED25519 keys with akr as well. When you run akr setup, any existing local keys directly inside ~/.ssh folder gets loaded into the ssh-agent.
  2. If you have an ECDSA key, please make sure the private key is in PEM format.

Security Disclosure

For any security related questions, please contact our security team. Please disclose any issues responsibly using our Akamai Security GPG Public Key and send communications to security@akamai.com.

License

Copyright (c) 2026, Akamai Technologies. All rights reserved.