Categories
Encryption Linux OpenSSH SecureShell SSH Ubuntu

Using yubikey with ssh

While playing with passkeys I asked myself whether my Yubikey could also be used for SSH authentication using passkeys/FIDO2. And it seems for OpenSSH 8.2 and newer this is indeed possible.

Its basic setup is described in detail by Yubico.

linux # ssh-keygen -t ed25519-sk -O resident -O verify-required -C "marcel@mydomain.de (Yubikey USB-C)" 
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter PIN for authenticator: 
You may need to touch your authenticator again to authorize key generation.
Enter file in which to save the key (/home/marcel/.ssh/id_ed25519_sk): /home/marcel/.ssh/id_ed25519_sk-yubikey-usb-c
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/marcel/.ssh/id_ed25519_sk-yubikey-usb-c
Your public key has been saved in /home/marcel/.ssh/id_ed25519_sk-yubikey-usb-c.pub
The key fingerprint is:
SHA256:9DyKoSEPHwOvz+tIUWN2uD3Yr1paewvOHKCSYt86Eek marcel@mydomain.de (Yubikey USB-C)
The key's randomart image is:
+[ED25519-SK 256]-+
|                 |
|     .           |
|  . B . .        |
|   O B . o       |
|  = X = S +      |
| . E * = . .     |
|+.+ = * o        |
|oo.=.B =.        |
|  .+X+*...       |
+----[SHA256]-----+

However following that description didn’t work for me. I always got some “sign_and_send_pubkey” error:

linux # ssh -l marcel -i ~/.ssh/id_ed25519_sk-yubikey-usb-c srv3.mydomain.de
sign_and_send_pubkey: signing failed for ED25519-SK "/home/marcel/.ssh/id_ed25519_sk-yubikey-usb-c" from agent: agent refused operation
marcel@srv3.mydomain.de's password:

According to most posts, this is caused by wrong file permissions (but that was not the case for me).

So I did some more research and I was not the only one with that problem. In a posting some gnome-keyring related bug (and a way to work around it) was mentioned. So let’s try again with the extra ssh option “-p IdentityAgent=None“:

linux # ssh -l marcel srv3.mydomain.de -o IdentityAgent=None -i /home/marcel/.ssh/id_ed25519_sk-yubikey-usb-c
Enter passphrase for key '/home/marcel/.ssh/id_ed25519_sk-yubikey-usb-c': 
Confirm user presence for key ED25519-SK SHA256:9DyKoSEPHwOvz+tIUWN2uD3Yr1paewvOHKCSYt86Eek
Enter PIN for ED25519-SK key /home/marcel/.ssh/id_ed25519_sk-yubikey-usb-c: 
Confirm user presence for key ED25519-SK SHA256:9DyKoSEPHwOvz+tIUWN2uD3Yr1paewvOHKCSYt86Eek
User presence confirmed
Welcome to Ubuntu 24.04.3 LTS (GNU/Linux 6.8.0-85-generic x86_64)

View from Yubico Authenticator app

Yubikey authenticator shows the key like this:

Yubikey Authenticator - Passkey PIN
Yubikey Authenticator – Passkey PIN
Yubikey Authenticator - Passkey View
Yubikey Authenticator – Passkey View
Yubikey Authenticator - Passkey detail view
Yubikey Authenticator – Passkey detail view

Leave a Reply

Your email address will not be published. Required fields are marked *