How to Use Yubikey with SSH
March 31, 2023
Using FIDO2 keys like Yubico for protecting SSH access is a significant step to improving the security of your infrastructure. One of the most significant advantages is that those keys are impossible to copy, so stealing them is much more challenging. Many vendors support FIDO2. I’m going to use a Yubikey from Yubico for this blog post.
Termius provides the effortless experience of setting and connecting with a FIDO2 U2F device on Windows, macOS, Linux, and iPhone. Once everything is set, the connection process is quick and smooth.
With Termius, you can integrate a FIDO2 device directly with OpenSSH without PAM involved. In such a setup, Termius converts infromation from a FIDO2 device into the OpenSSH format that could be added to ~/.ssh/authorized_keys.
Step 1. Prepare the environment
Before diving into the installation process, ensure you have completed the following steps.
- set a PIN code on your FIDO2 device.
- make sure that the OpenSSH version is higher than 8.3
- update Termius on Desktop to the latest version
Step 2. Generate a key
Key generation is a simple step that takes only a couple of clicks. The only question one should answer is whether to use either discoverable or non-discoverable keys. The only question one should answer is to use either discoverable and non-discoverable keys. Discoverable keys are entirely stored on a FIDO2 device; if the device is lost, it can be used for authentication. Non-discoverable credentials require a private key for usage. Hence, in the case of a device loss, it is impossible to authenticate with this FIDO2 key because of the missing private key.
It is recommended to use non-discoverable credentials because of the additional layer of security. Termius automatically syncs the private key among devices.
Step 3. Export to ~/.ssh/authorized_keys
Termius makes using FIDO2 keys as easy as a normal OpenSSH key. The public key is available for export in the right format for ~/.ssh/authorized_keys. The easiest way to do this is to double click on the key and select the hosts for export.
Step 4. Easy Connect
Using FIDO2 keys for protecting SSH is one the strongest forms of protecting access to remote infrastructure. FIDO2 keys protect from password theft by moving to password-less authentication. FIDO2 is a standard that is supported by many manufacturers.
As we conclude this tutorial on setting up FIDO2 hardware keys in Termius, it's clear that these keys greatly improve security and convenience for remote access. FIDO2 keys provide strong authentication and are compatible across devices, ensuring secure and seamless access.
By adopting FIDO2 keys, users can enjoy a user-friendly experience, eliminate complex passwords, and stay ahead of emerging security threats. Overall, using FIDO2 hardware keys in Termius is a smart choice for enhancing security and simplifying remote access from desktop and mobile.