FIDO2-based SSH keys (ed25519-sk and ecdsa-sk) FIDO2-based SSH keys (ed25519-sk and ecdsa-sk)

FIDO2-based SSH keys (ed25519-sk and ecdsa-sk)

eugene from Termius eugene from Termius

Starting with 7.41.2, the desktop Termius app allows authenticating using FIDO2-based SSH keys, i.e. ed52219-sk and ecdsa-sk. The app supports both non-discoverable and discoverable aka resident keys.

FIDO2-based authentication is a hardware-backed public key authentication. With this type of authentication, the keys are generated by a hardware device, such as YubiKey, Solo, or OnlyKey. When connecting using such a key, you'll be asked to touch the device and / or provide PIN. Discoverable keys, unlike non-discoverable keys, are stored on the authenticator itself, and you will also have a local copy of one.

fido2-discoverable-connections.gif

It is not yet possible to generate a FIDO2 key in Termius, so if you don't already have a key, you will need to generate it in another app, e.g. ssh-keygen.

If you're going to use a non-discoverable key, you'll need to import it to Termius.

Important: This type of authentication requires OpenSSH 8.2 or higher to be installed on the server.

Note: Currently, FIDO2 authentication is supported only by the desktop Termius app.

Generate a FIDO2 key

This section provides instructions for generating a FIDO2 key with ssh-keygen.

Before generating a FIDO2 key with ssh-keygen, ensure that your local system is running OpenSSH 8.2 or higher: 8.2 is required for generating non-discoverable keys, while 8.3 is required for generating discoverable ones.

Note: YubiKey with firmware below 5.2.3 are not compatible with ed25519-sk keys.

Plug the authenticator into a USB port and have a look at the command below, which generates a basic non-discoverable ed52219-sk key:

$ ssh-keygen -t ed25519-sk -f ./new-ed25519-sk-key

The command can be adjusted in several ways using the '-O' option:

  • To generate an ecdsa-sk key, replace ed25519-sk with ecsda-sk.
  • To generate a discoverable key, add -O resident.
  • To prevent user presence confirmation, use -O no-touch-required and add no-touch-required to the beginning of the public key file that ssh-keygen will eventually create. This setting applies to non-discoverable keys and local copies of discoverable keys.
  • To enable PIN verification, use -O verify-required.
  • To complement a discoverable key with a username, add -O user=[user-id], e.g. -O user=leah. It will be displayed next to the key in the list of keys that may be shown to you when you are connecting to a server and may help you to choose the right key.
  • To complement a discoverable key with application name, e.g. Termius, add -O application=ssh:termius.

Important: The authenticator must always be plugged in, when you're connecting using a FIDO2 key.

To learn more about the available options, check the ssh-keygen documentation.

When you execute the command, ssh-keygen creates two files. One is a public key file while the other can be a private key, if you generated a non-discoverable key, or a copy of the private key that is now stored on the authenticator. You may need the copy later, when connecting using your discoverable key.

Import a FIDO2 key to Termius

A FIDO2 key can be imported in the same way other keys are imported.

See the Import a key how-to article for more info.

Connect using a non-discoverable key

To connect using a non-discoverable key, you'll need to attach it to the host entry, as any other type of key.

When you're connecting, you'll be asked to confirm your presence by touching the device, unless you changed the default parameters of the key. You may be asked to enter PIN, depending on the parameters of the key.

Connect using a discoverable key

If your FIDO2 key is a discoverable key and the server is using only public key authentication, Termius will ask you to select the key upon connection. You can avoid selecting the key by attaching the copy of the private key, which was created by ssh-keygen, to the host entry, which you'd like to connect to.

fido2-discoverable-connections.gif

You'll be asked to touch the device and and enter PIN, if you're connecting using a key that is stored on the device. If you're using a local copy of the key, PIN or touch verification may not be necessary, depending on the parameters of your key.

Add comment

Please sign in to leave a comment.