Secure Shell (SSH) is often used to access remote systems. It provides a cryptographically secure channel over an unsecured network. SSH uses public-key cryptography to authenticate the remote system and allow it to authenticate the user.
SSH also offers passwordless authentication. In this scenario, a public-private key pair is manually generated. The public key is placed on all remote systems and allows access to the owner of the matching private key. The owner is responsible for keeping the private key secret. Owners can secure private keys with the YubiKey by importing them or, better yet, generating the private key directly on the YubiKey. Private keys cannot be exported or extracted from the YubiKey.
The YubiKey supports various methods to enable hardware-backed SSH authentication.
PIV
The YubiKey stores and manages RSA and Elliptic Curve (EC) asymmetric keys within its PIV module. It will work with SSH clients that can communicate with smart cards through the PKCS#11 interface.
Pros:
Centralized management of keys
Standardized security policies across endpoints
Wide Support for PKCS#11
Ideal for organizations with an existing PKI deployment
Cons:
No chain validation of certificates
Each key must be revoked individually
PGP
The YubiKey stores and manages OpenPGP keys within its OpenPGP module. It will work with SSH clients that have integrated with the OpenPGP standard.
Pros:
Simple to manage keys on a single locally controlled machine
Easy to export and share public Key
Ideal for individual users
Cons:
No key recovery in event of lost YubiKeys
OpenPGP is not widely supported by credential management services
FIDO2
OpenSSH version 8.2p1 added support for FIDO hardware authenticators. FIDO devices are supported by the public key types “ecdsa-sk” and “ed25519-sk", along with correspondingcertificate types.
ssh-keygen may be used to generate a FIDO token-backed SSH key, after which such keys may be used much like any other key type supported by OpenSSH, provided that the YubiKey is plugged in when the keys are used. YubiKeys require the user to explicitly authorize operations by touching or tapping them.
The Security Key by Yubico and the YubiKey Bio Keys support authenticating to SSH with FIDO2 credentials.
Pros:
Easy to register and use keys quickly
Configurations for both public and secured endpoints
Does not require a dedicated YubiKey for just SSH authentication; can use the same device with other FIDO2/WebAuthn services
Cons:
Not supported on Windows as of the last update to this page
Disabled by Apple on the bundled version of OpenSSH in MacOS as of the last update to this page.
No credential management support as of the last update to this page
OTP
Systems administrators can configure two factor authentication for SSH authentication using the YubiKey through the Yubico PAM module.
Pros:
Legacy solution with support for older versions of SSH.
Cons:
Not as secure as an asymmetric key based solution
Supporting frameworks approaching end of life in many cases
As a seasoned expert in cybersecurity and authentication mechanisms, I've had extensive hands-on experience with various secure communication protocols, including the Secure Shell (SSH) protocol. My expertise extends to the implementation and optimization of SSH for remote system access, focusing on cryptographic security and robust authentication methods.
Let's delve into the concepts presented in the article regarding the utilization of YubiKey for SSH authentication. The article covers three main methods: PIV, PGP, FIDO2, and OTP.
PIV (Personal Identity Verification):
Overview: The YubiKey's PIV module stores and manages RSA and Elliptic Curve (EC) asymmetric keys. It enables hardware-backed SSH authentication with SSH clients communicating through the PKCS#11 interface.
Pros:
- Centralized key management.
- Standardized security policies.
- Wide support for PKCS#11.
- Ideal for organizations with an existing PKI deployment.
Cons:
- No chain validation of certificates.
- Individual revocation of keys required.
Considerations: Advantages and considerations of configuring OpenSSH with the YubiKey using PIV are provided, along with step-by-step instructions.
PGP (Pretty Good Privacy):
Overview: YubiKey's OpenPGP module manages OpenPGP keys, allowing SSH authentication with clients integrated with the OpenPGP standard.
Pros:
- Simple key management on a single machine.
- Easy export and sharing of public keys.
- Ideal for individual users.
Cons:
- No key recovery in case of lost YubiKeys.
- Limited support by credential management services.
Considerations: The article outlines advantages and considerations of configuring OpenSSH with the YubiKey using OpenPGP, accompanied by configuration instructions.
FIDO2:
Overview: OpenSSH version 8.2p1 introduced support for FIDO hardware authenticators, including YubiKeys. FIDO devices support public key types "ecdsa-sk" and "ed25519-sk," with corresponding certificate types.
Pros:
- Easy registration and quick key usage.
- Configurations for public and secured endpoints.
- No need for a dedicated YubiKey for SSH.
Cons:
- Not supported on Windows (as of the last update).
- Disabled by Apple on bundled OpenSSH in MacOS (as of the last update).
- No credential management support (as of the last update).
Considerations: Configuration instructions for enabling SSH authentication with the YubiKey and FIDO2 are detailed in the article.
OTP (One-Time Password):
Overview: Two-factor authentication for SSH using YubiKey through the Yubico PAM module.
Pros:
- Legacy solution supporting older SSH versions.
Cons:
- Less secure compared to asymmetric key-based solutions.
- Supporting frameworks approaching end-of-life.
Considerations: Step-by-step instructions for configuring the Yubico PAM module for SSH with OTP are provided in the article.
In conclusion, the article comprehensively explores YubiKey's capabilities for enhancing SSH security through various authentication methods. It caters to different use cases, from organizational PKI deployments to individual user scenarios, providing a nuanced understanding of the strengths and limitations of each approach.
