FIDO2-Based SSH Keys (ed25519-sk and ecdsa-sk) FIDO2-Based SSH Keys (ed25519-sk and ecdsa-sk)

FIDO2-Based SSH Keys (ed25519-sk and ecdsa-sk)

Eugene Oskin Eugene Oskin

Starting with 7.41.2, the desktop Termius app allows authenticating using ed25519-sk and ecdsa-sk SSH keys, that is using FIDO2 hardware authenticators such as YubiKey, Solo, or OnlyKey.

fido2-discoverable-connections.gif

With this type of authentication, SSH keys are generated by a hardware device. When connecting using such a hardware-generated key, you'll be asked to touch the device and / or provide PIN. Some authenticators allow you to store a copy of the key on the authenticator itself.

Any FIDO2 keys that are stored locally need be imported to Termius for you to be able to use them and then attached to hosts. A key stored on the authenticator can be imported if desired. You may want to import it to avoid selecting the key during a connection or for security reasons.

Starting with 7.44.0, Termius allows generating FIDO2 keys.

Termius supports the FIDO U2F (CTAP 1) and FIDO 2.0 (CTAP 2) protocols.

Support for FIDO2 keys has been tested on a limited number of devices, so, if you're facing connection issues, please, send us an email including the name of your authenticator.

Important: This type of authentication requires OpenSSH 8.2 or higher to be installed on the server.

Note: You can find more info about FIDO2-based authentication here. (See 'FIDO2 resident keys'.)

Note: FIDO2-based authentication is not available in the Hobby (free) plan.

Requirements

Make sure you grant Termius access to USB, when / if the OS asks that you do so.

Linux requires adding a udev rule for you to be able to access FIDO devices, similar to this one:

#udev rule for allowing HID access to Yubico devices for FIDO support.
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \
  MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050"

On Windows, to be able to import a key stored on an authenticator or connect using one you must be running Termius as administrator. It may also be necessary to install authenticator device drivers. Please, search for the drivers on the vendor's website, e.g. Yubikey smart card driver.

Import a FIDO2 key

FIDO2 keys stored locally can be imported in the same way other keys are imported.

To import a FIDO2 key from an authenticator:

  1. Plug in your authenticator device.
  2. In Preferences, choose Keychain.
  3. Click + New hardware key, then Import FIDO2 key.
  4. Select a FIDO2 authenticator from the list.
  5. Enter the PIN code.
  6. (Optionally) in the Set a label... field, provide a name for the key.
  7. Select the key(s) you'd like to import.
  8. Click Continue.

To use an imported FIDO2 key, you'll need to link it with your Termius host in its properties.

Generate a FIDO2 key

When generating a key, you'll be asked if you want to upload the key to the authenticator. If you choose to do so, two copies of the key will be created: one will be stored on the device, and the second will be saved in Termius.

Note: YubiKey with firmware below 5.2.3 are not compatible with ed25519-sk keys.

To generate a FIDO2 key in Termius:

  1. Plug in the authenticator.
  2. In Preferences, choose Keychain, then + New hardware key and Generate FIDO2 key.
  3. (Optionally) in the Set a label... field, provide a name for the key.
  4. Select the type of key you want to generate: ecdsa-sk or ed25519-sk.
  5. To disable presence verification (via touch), uncheck Require user presence. It is possible to disable presence verification only for locally stored keys.
  6. To enable PIN verification, check Require PIN code.
  7. To place the key on your device, check Store on device.

    Note: This option can be unavailable if you haven't set a PIN code on your FIDO2 device. To learn more about pin codes and YubiKey, please, take a look at this article.

  8. If you're using the 'Store on device' option, provide a user id. It will appear next to the key in the list of keys that will be displayed, when you are connecting to a server.

    Important: It is not possible to store two keys with the same user id and of the same key type on one device. Any previously created duplicate will be rewritten.

  9. Specify the other parameters and click Generate.
    fido2-keygen-store-on-device-1.gif

Connect using a FIDO2 key

If you've imported your FIDO2 key, attach the key to the host you want to connect to. During the connection, you may be asked to touch the device and provide PIN, depending on the parameters of the key.

Connecting using a key stored on the authenticator is possible only if no other methods except public key authentication is allowed on the server. If you're going to connect using a key stored on your authenticator, make sure no key is attached to the host (entry) in question and then connect.

fido2-discoverable-connections.gif

Add comment

Please sign in to leave a comment.