The OnlyKey can be used with OpenSSH to provide multifactor authentication on SSH keys
OpenSSH v8.2
This document describes how to use the OnlyKey as a second factor authentication device with traditional SSH Keys.
The OnlyKey currently only supports ecdsa
keys with OpenSSH.
Quickstart Guide
-
You must have OpenSSH v8.2 or higher and the necessary prerequisites installed.
-
You may now generate your SSH keys using
ssh-keygen
. Provide any desired optional arguments and you will be prompted to press your OnlyKey and provide an optional passphrase.
$ ssh-keygen -t ecdsa-sk
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_ecdsa_sk
Your public key has been saved in /home/user/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:ECFmaoLZENpq0rLem8HC1F6vTwH1pjsnR6X8l/r54rQ [email protected]
The key's randomart image is:
+-[ECDSA-SK 256]--+
|o. + oo |
|o= + .... |
|= =. ... o . |
| =. ..+ o |
|+o.. . oS+ |
|=oo . . + . . |
|.o + * o . + |
|. o o o o = +.o |
| . +.... .oEo. |
+----[SHA256]-----+
- Then copy the new public key to your remote hosts.
$ ssh-copy-id -i ~/.ssh/id_ecdsa_sk [email protected]
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa_sk.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
- And then log in your remote host. You will be prompted to enter your passphrase (if entered during key generation) and asked to press your OnlyKey.
$ ssh -i ~/.ssh/id_ecdsa_sk [email protected]
Enter passphrase for key 'id_ecdsa_sk':
Confirm user presence for key ECDSA-SK SHA256:ECFmaoLZENpq0rLem8HC1F6vTwH1pjsnR6X8l/r54rQ
- Success!
Prerequisites
Void Linux
$ xbps-install -S openssh openssh-sk-helper
Arch Linux
$ pacman -S openssh libfido2
Ubuntu (20.10 Groovy Gorilla) & Debian (bullseye)
$ apt install openssh-client