Using FIDO2 for SSH authentication

Desktop Termius app from 7.41.2 version and the iOS Termius app from 4.13.9 version allow authenticating using ed25519-sk and ecdsa-sk SSH keys, that is using FIDO2 hardware authenticators such as YubiKey, Solo, or OnlyKey.

With this type of authentication, SSH keys are generated by a hardware device. When connecting using such a hardware-generated key, you'll be asked to touch the device and / or provide PIN. Some authenticators allow you to store a copy of the key on the authenticator itself.

Any FIDO2 keys that are stored locally need be imported to Termius for you to be able to use them and then attached to hosts. A key stored on the authenticator can be imported if desired. You may want to import it to avoid selecting the key during a connection or for security reasons.

Starting with 7.44.0, Desktop Termius allows generating FIDO2 keys.

Termius supports only the FIDO 2.0 (CTAP 2) protocol.

Support for FIDO2 keys has been tested on a limited number of devices, so, if you're facing connection issues, please, send us an email including the name of your authenticator.

Important: This type of authentication requires OpenSSH 8.2 or higher to be installed on the server.

Note: You can find more info about FIDO2-based authentication here. (See 'FIDO2 resident keys'.)

Note: FIDO2-based authentication is not available in the Starter (free) plan.

Requirements

#udev rule for allowing HID access to Yubico devices for FIDO support.
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \
  MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050"

Import a FIDO2 key

FIDO2 keys stored locally can be imported in the same way other keys are imported.

To import a FIDO2 key from an authenticator:

1. Plug in your authenticator device.
2. In Preferences, choose Keychain.
3. Click + New hardware key, then Import FIDO2 key.
4. Select a FIDO2 authenticator from the list.
5. Enter the PIN code.
6. (Optionally) in the Set a label... field, provide a name for the key.
7. Select the key(s) you'd like to import.
8. Click Continue.

To use an imported FIDO2 key, you'll need to link it with your Termius host in its properties.

Generate a FIDO2 key

When generating a key, you'll be asked if you want to upload the key to the authenticator. If you choose to do so, two copies of the key will be created: one will be stored on the device, and the second will be saved in Termius.

Note: YubiKey with firmware below 5.2.3 are not compatible with ed25519-sk keys.

To generate a FIDO2 key in Termius:

1. Plug in the authenticator.
2. In Preferences, choose Keychain, then + New hardware key and Generate FIDO2 key.
3. (Optionally) in the Set a label... field, provide a name for the key.
4. Select the type of key you want to generate: ecdsa-sk or ed25519-sk.
5. To disable presence verification (via touch), uncheck Require user presence. It is possible to disable presence verification only for locally stored keys.
6. To enable PIN verification, check Require PIN code.
7. To place the key on your device, check Store on device.
   

   Note: This option can be unavailable if you haven't set a PIN code on your FIDO2 device. To learn more about pin codes and YubiKey, please, take a look at this article.

8. If you're using the 'Store on device' option, provide a user id. It will appear next to the key in the list of keys that will be displayed, when you are connecting to a server.
   

   Important: It is not possible to store two keys with the same user id and of the same key type on one device. Any previously created duplicate will be rewritten.

9. Specify the other parameters and click Generate.
   

Connect using a FIDO2 key on Desktop and Mobile

If you've imported your FIDO2 key, attach the key to the host you want to connect to. During the connection, you may be asked to touch the device and provide PIN, depending on the parameters of the key.