The Wonderful World of Yubikey: SSH

In previous posts, we've covered the basics of what most people would use their Yubikey for:

But Yubikey can do so much more.

It can also handle your SSH needs as well.

SSH + Yubikey

Explaining what SSH is beyond the scope of this post so we'll assume you already know what it is and are using it for something. Some common SSH use cases:

  • Logging in to a remote machine for some administrative task. This could be a VPS that hosts your website, a headless Pi on your home network or machines you admin for work.
  • Securely interacting with a Git repository. SSH allows you to clone from and push to remote repos where you are authorized to do so.

SSH utilizes a public/private key pair system where you add your public key to the thing you want to access and then use your private key to verify you are someone that is allowed to access that system. Historically, your entire private SSH key existed as a file on your computer (ideally, password protected) probably in the  ~/.ssh directory.

In a perfect world, this is a pretty safe system. In order to even get to your private key someone would need access to the place it is stored. But if they did get access...files can be copied.

Let's explore using Yubikey as an extra layer of protection for your private key:

The Yubikey is a physical thing that only you have. Theoretically, it can't be duplicated. Instead of leaving your entire private SSH key on your computer you can instead create a stub file that effectively says "I don't know, go ask Yubikey!"

I found this blog post very helpful as I was setting this up:

How to use your Yubikey to log in via SSH to your server | rameerez
SSH is a secure way of accessing servers. But if your private key gets compromised, an attacker can gain access to your servers. Adding Second Factor Authentication (2FA) with a Yubikey is a good option to strengthen your SSH setup, because attackers would need to get physical access to your hardwar…

Essentially you'll need:

  • OpenSSH 8.2 or higher
  • run ssh-keygen with the -sk appended to the key type: ssh-keygen -t ed25519-sk -f testkey
  • You'll end up with testkey and testkey.pub. Use this key pair like you normally would.
  • The biggest difference is that now when you need to use testkey to verify, you will be prompted to interact with your Yubikey.
  • WARNING: The remote system you want to connect to must also support this key type!

This is great but like previous examples you'll want some redundancy. If you've followed the instructions above and you lose your yubikey or its corresponding stub file you are now locked out. Like all things Yubikey, you'll want multiple keys for backups. To achieve this, you would just repeate the above process for each Yubikey you own.

So in the end you would have multiple public/private key pairs on your system, each corresponding to your physical keys:

  • yubiSSH1 and yubiSSH1.pub
  • yubiSSH2 and yubiSSH2.pub
  • and so on....

Just another interesting use for Yubikey. In the next installment of this series we'll be exploring Yubikey and GPG!