Openssh Fido



Get all Latest News about ssh, Breaking headlines and Top stories, photos & video in real time. OpenSSH now supports FIDO (U2F) and FIDO2 for authentication, with FIDO2 with resident keys having a nicer UX. At a high level, the USB device (FIDO2 devices don’t have to be USB, but they usually will be) will generate a secret key. Network security and internet freedom. Everything you need to live in a cyber world.

[ jessie ] [ stretch ] [ buster ] [ buster-backports ] [ bullseye ] [ sid ]

Links for openssh-client

Debian Resources:

Download Source Package openssh:

Maintainers:

  • Debian OpenSSH Maintainers (QA Page, Mail Archive)
  • Colin Watson (QA Page)
  • Matthew Vernon (QA Page)

External Resources:

  • Homepage [www.openssh.com]

Similar packages:

secure shell (SSH) client, for secure access to remote machines

This is the portable version of OpenSSH, a free implementation ofthe Secure Shell protocol as specified by the IETF secsh workinggroup.

Ssh (Secure Shell) is a program for logging into a remote machineand for executing commands on a remote machine.It provides secure encrypted communications between two untrustedhosts over an insecure network. X11 connections and arbitrary TCP/IPports can also be forwarded over the secure channel.It can be used to provide applications with a secure communicationchannel.

This package provides the ssh, scp and sftp clients, the ssh-agentand ssh-add programs to make public key authentication more convenient,and the ssh-keygen, ssh-keyscan, ssh-copy-id and ssh-argv0 utilities.

In some countries it may be illegal to use any encryption at allwithout a special permit.

ssh replaces the insecure rsh, rcp and rlogin programs, which areobsolete for most purposes.

Tags: Implemented in: C, User Interface: Command Line, interface::shell, network::client, Network Protocol: SFTP, SSH, Role: role::program, security::authentication, Security: Cryptography, Interface Toolkit: uitoolkit::ncurses, use::login, Purpose: Transmission, Works with: Files

Other Packages Related to openssh-client

  • depends
  • recommends
  • suggests
  • enhances
  • dep:adduser (>= 3.10)
    add and remove users and groups
  • dep:dpkg (>= 1.7.0)
    Debian package management system
  • dep:libc6 (>= 2.26) [amd64, arm64, mips64el, ppc64, ppc64el, s390x, sparc64, x32]
    GNU C Library: Shared libraries
    also a virtual package provided by libc6-udeb
    dep:libc6 (>= 2.27) [riscv64]
    dep:libc6 (>= 2.28) [armel, armhf, hppa, i386, m68k, mipsel]
    dep:libc6 (>= 2.31) [sh4]
  • dep:libc6.1 (>= 2.27) [alpha]
    GNU C Library: Shared libraries
    also a virtual package provided by libc6.1-udeb
  • dep:libedit2 (>= 2.11-20080614) [alpha]
    BSD editline and history libraries
    dep:libedit2 (>= 2.11-20080614-0) [not alpha]
  • dep:libfido2-1 (>= 1.5.0)
    library for generating and verifying FIDO 2.0 objects
  • dep:libgssapi-krb5-2 (>= 1.17)
    MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
  • dep:libselinux1 (>= 3.1~)
    SELinux runtime shared libraries
  • dep:libssl1.1 (>= 1.1.1)
    Secure Sockets Layer toolkit - shared libraries
  • dep:passwd
    change and administer password and group data
  • dep:zlib1g (>= 1:1.1.4)
    compression library - runtime
  • rec:xauth
    X authentication utility
  • sug:keychain
    key manager for OpenSSH
  • sug:libpam-ssh
    Authenticate using SSH keys
  • sug:monkeysphere
    leverage the OpenPGP web of trust for SSH and TLS authentication
  • sug:ssh-askpass
    under X, asks user for a passphrase for ssh-add
    also a virtual package provided by ksshaskpass, kwalletcli, lxqt-openssh-askpass, ssh-askpass-fullscreen, ssh-askpass-gnome
OpenSSH

Download openssh-client

Download for all available architectures
ArchitecturePackage SizeInstalled SizeFiles
alpha(unofficial port)918.6 kB4,888.0 kB [list of files]
amd64907.6 kB4,298.0 kB [list of files]
arm64871.5 kB4,242.0 kB [list of files]
armel803.0 kB3,856.0 kB [list of files]
armhf822.0 kB3,168.0 kB [list of files]
hppa(unofficial port)844.0 kB4,082.0 kB [list of files]
i386968.0 kB4,780.0 kB [list of files]
m68k(unofficial port)866.3 kB3,928.0 kB [list of files]
mips64el910.7 kB4,864.0 kB [list of files]
mipsel918.3 kB4,715.0 kB [list of files]
ppc64(unofficial port)924.5 kB5,779.0 kB [list of files]
ppc64el942.0 kB5,522.0 kB [list of files]
riscv64(unofficial port)843.1 kB3,391.0 kB [list of files]
s390x853.3 kB4,402.0 kB [list of files]
sh4(unofficial port)903.7 kB3,804.0 kB [list of files]
sparc64(unofficial port)789.8 kB4,062.0 kB [list of files]
x32(unofficial port)905.8 kB4,156.0 kB [list of files]

Introduction

The following article describes how a key deployment setup with Universal 2nd Factor (U2F) OpenSSH keys can look like. U2F is a standard that was invented to simplify an authentication process while maintaining the security level. If not well designed, making an authentication process easier for the end user leads to a decreased security level. The FIDO alliance (members, among others, are Google, PayPal, Yubico and Microsoft) created the U2F standard to exactly overcome this problem. Basically, the end user has a device they own (usually some form of USB device) and another factor they know (usually a password). Most prominent example of the aforementioned USB devices are Yubikeys produced by the company Yubico.

Here is a photo of one of my Yubico Security Keys:

Securing a remote SSH login with a Yubikey is nothing new, there is a varietyofinstructionsoutthere in the Internet. The one thing nearly all instructions have in common is the complexity of the setup and complexity is the adversary of security. If you take some time and scroll through the articles you will recognize what I mean. Since I am doing something with Information Security in my daily job, I jumped the gun and tried a lot of different setups over the last years. I never found a solution that is simple, easy to set up, low on maintenance and still works after some years. Especially solutions where a person has to use a physical device as Java Smartcard and use GnuPG plus SSH to store their private SSH key on the device are very popular among admins. NOT! Believe me, I've been there.

Kalendar 2020 hrvatska. So, why another article now? OpenSSH since Version 8.2 supports FIDO/U2F hardware out-of-the-box. As a smart move, the developers included libfido2 so that USB keys can be used out of the box. libfido2 acts as a middleware here and other tokens attached via NFC or Bluetooth can also be used. However, since I don't own and use Bluetooth nor NFC devices this articles focuses on USB tokens. Further, they didn't reinvent the wheel or introduced additional complexity, they just created two new key types that work like the SSH keys you're already used to.

As of today, OpenSSH Version 8.2 is already available on the following major operating systems and I am sure I've missed a dozen :)

  • OpenBSD 6.7
  • FreeBSD 12.1 with openssh_portable from ports
  • NetBSD 9.0 with openssh from pkgsrc
  • Ubuntu 20.04
  • Fedora 32

Threat Model

Openssh fido2

I was asked for the threat model and the reason why I deploy such a setup. Basically, I am a lazy person so I don't change my personal SSH keys very often. The last big key rollover on my side was when OpenSSH introduced ed25519 keys. So, I rely on the assumption that no one stole my private keys from one of my personal devices. I personally consider the likelihood of an attacker that extracts keys from my physical devices as low (YMMV).

Openssh Fido

However, an attacker could steal my private SSH keys by exploiting a vulnerability in the software I use. If you look up the security vulnerabilities found in Chrome or Firefox this is not an unlikely scenario. To make an attacker's life harder, I rely on patching the software, using additional security mechanisms and running most prominent software under another user.

Openssh Fido

Wi fi usb for mac. Having FIDO SSH keys is another way to prevent that an attacker who stole my keys can access my servers.

Disaster Recovery Plan

I learned over the years and with certain experiments that having a proper disaster recovery plan is key in order not to lose access to my servers. Thus, my current setup looks as follows: Deezer vs spotify 2020.

  1. Two different U2F Security Keys from Yubico. Both ordered some month apart from each other to avoid having two keys from a faulty production charge.
  2. An offline backup SSH key for disaster access.

Both public SSH keys bound to the respective Yubikeys are rolled out to all servers so that I can log in no matter which key I have around. Should I lose/break one Yubikey, I can still use the other one to gain access. The offline key is stored on several, fully encrypted backup disks stored in different physical locations. There is no online or cloud backup. I haven't (yet) tried to work with printed offline keys, however, with short ed25519 keys and a proper QR code this should also work.

Generate a U2F SSH Key Pair

With Version 8.2, the OpenSSH developers created two new public key types “ecdsa-sk” and “ed25519-sk”. Both are backed by a FIDO token and can be used like any other SSH key as long as the token is attached. As before, you can still use ssh-keygen to create a key pair, the only differences is that you need to have a token attached during generation and press the device's button to confirm the generation. I also increased the number of encryption rounds by setting the “-a” flags to 250 rounds (keep in mind that this flags is hardware dependent, so 250 rounds on my system can be different from your system).

In the example, I created a ed22519-sk key since both my Yubico security keys support them. If you have older Yubikeys or an older firmware you might get an error and have to choose ecdsa-sk.

Distributing and using the Public Keys

No changes from the Status Quo, so you can still add your key to your ssh-agent and use it accordingly.

To use the key for login just copy the public key to the authorized_keys file on your remote machine. To actually use the key just use SSH as usual and confirm via pressing the device's button that you indeed want to connect. ssh will ask you either on the console or as depicted in the following picture via gra[hical interface (here ssh-askpass):

If your key is not loaded into the agent and you try to connect to a system where only FIDO keys are deployed, the error message looks like the following:

FIDO2 Resident Keys

U2f Security Key 2020

Disclaimer: In the following, I give a brief introduction about FIDO2 resident keys, however, I don't use them myself. As I said before, I am not a fan of keys stored on devices so I'll stick with keys on disk plus a hardware token. I mention resident keys here to give you an idea what's also possible.

In the setup I described in the last sections, a “key handle” part is stored in the private key file on disk and a per-device private key that is unique to each FIDO/U2F token and that cannot be exported from the device. To facilitate the use of the same key on different systems without the need to copy it around, FIDO2 resident keys can be used. Hereby, the “key handle” part can be retrieved from the device itself.

OpenSSH Website

ssh-keygen can be used with the “-O resident” option to generate such a key. It will then be stored on the device itself and typically requires that you set a PIN before generation. By using the “-K” option you can download the key from the device.

See Full List On Cryptsus.com

$Id: u2fandssh.md,v 1.2 2020/06/09 18:02:24 cvs Exp $