The #1 security key, offering strong two factor authentication from industry leader Yubico.
sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
sudo apt-get install libu2f-udev libpam-u2f
mkdir ~/.config/Yubico
pamu2fcfg > ~/.config/yubico/u2f_keys
pamu2fcfg -n >> ~/.config/yubico/u2f_keys
To prompt the user to touch the key, set ‘cue’ at the end of the ‘auth required’ line
sudo nano /etc/pam.d/sudo
auth required pam_u2f.so authfile=/home/<user>/.config/yubico/u2f_keys
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/johndo/.ssh/id_ecdsa_sk
Your public key has been saved in /home/johndo/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 johndo@example
The key's randomart image is:
+-[ECDSA-SK 256]--+
| |
| o . . |
|oA. + o |
|.. . x O + |
|a . R * . |
|- . . . P o |
|.. o . % + . |
| . .!!! o . |
| .---X#o |
+----[SHA256]-----+
Upload new key to SSH-target server.
ssh-copy-id -f -i <filename>.pub <user>@<target>
Test logging in with key.
$ ssh johndo@example -i id_ecdsa_sk
Enter passphrase for key '/home/johndo/id_ecdsa_sk':
Confirm user presence for key ECDSA-SK SHA256:f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2
Last login: Wed May 12 08:29:50 2021 from 10.10.20.107
johndo@example:~$