How to use YubiKeys with SSH keys in 2-step verification?
I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
Two step verification would be very good: password for the private key and Fido U2F verification too.
I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
1-step verification is also weak itself although how long and difficult the password is.
Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.
Ticket sent to YubiKey team 22nd Feb 2017
Dear Sir/Madam,
We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.
Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Thread about the feature request: http://unix.stackexchange.com/q/346771/16920
Best regards,
Leo
OS: Debian 8.7
Hardware: Asus Zenbook UX303UB
Tickets: #2319 (Jakuje)
Fido U2F key: YubiKey 4
ssh security yubikey fido-u2f 2-factor-authentication
edited May 23 '17 at 12:40
Community♦
1
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
add a comment |
I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
Two step verification would be very good: password for the private key and Fido U2F verification too.
I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
1-step verification is also weak itself although how long and difficult the password is.
Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.
Ticket sent to YubiKey team 22nd Feb 2017
Dear Sir/Madam,
We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.
Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Thread about the feature request: http://unix.stackexchange.com/q/346771/16920
Best regards,
Leo
OS: Debian 8.7
Hardware: Asus Zenbook UX303UB
Tickets: #2319 (Jakuje)
Fido U2F key: YubiKey 4
ssh security yubikey fido-u2f 2-factor-authentication
edited May 23 '17 at 12:40
Community♦
1
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
add a comment |
I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
Two step verification would be very good: password for the private key and Fido U2F verification too.
I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
1-step verification is also weak itself although how long and difficult the password is.
Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.
Ticket sent to YubiKey team 22nd Feb 2017
Dear Sir/Madam,
We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.
Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Thread about the feature request: http://unix.stackexchange.com/q/346771/16920
Best regards,
Leo
OS: Debian 8.7
Hardware: Asus Zenbook UX303UB
Tickets: #2319 (Jakuje)
Fido U2F key: YubiKey 4
ssh security yubikey fido-u2f 2-factor-authentication
edited May 23 '17 at 12:40
Community♦
1
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
Two step verification would be very good: password for the private key and Fido U2F verification too.
I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
1-step verification is also weak itself although how long and difficult the password is.
Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.
Ticket sent to YubiKey team 22nd Feb 2017
Dear Sir/Madam,
We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.
Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Thread about the feature request: http://unix.stackexchange.com/q/346771/16920
Best regards,
Leo
OS: Debian 8.7
Hardware: Asus Zenbook UX303UB
Tickets: #2319 (Jakuje)
Fido U2F key: YubiKey 4
ssh security yubikey fido-u2f 2-factor-authentication
ssh security yubikey fido-u2f 2-factor-authentication
edited May 23 '17 at 12:40
Community♦
1
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
edited May 23 '17 at 12:40
Community♦
1
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
edited May 23 '17 at 12:40
Community♦
1
edited May 23 '17 at 12:40
Community♦
1
edited May 23 '17 at 12:40
Community♦
1
1
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
asked Feb 22 '17 at 9:53
Léo Léopold Hertz 준영Léo Léopold Hertz 준영
1,0481144116
1,0481144116
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.
If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
1
I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:24
1
There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).
– Jakuje
Feb 22 '17 at 11:28
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:29
1
I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.
– Jakuje
Feb 22 '17 at 11:31
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:38
add a comment |
Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.
add a comment |
Method using pam_ssh + pam_yubico:
http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/
Alternatively:
I am not sure if it is what you need, but Teleport supports U2F
It is open source
answered 14 mins ago
qewghbjhbqewghbjhb
11
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f346771%2fhow-to-use-yubikeys-with-ssh-keys-in-2-step-verification%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.
If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
1
I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:24
1
There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).
– Jakuje
Feb 22 '17 at 11:28
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:29
1
I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.
– Jakuje
Feb 22 '17 at 11:31
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:38
add a comment |
You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.
If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
1
I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:24
1
There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).
– Jakuje
Feb 22 '17 at 11:28
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:29
1
I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.
– Jakuje
Feb 22 '17 at 11:31
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:38
add a comment |
You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.
If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.
If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
answered Feb 22 '17 at 11:11
JakujeJakuje
16.3k52953
16.3k52953
1
I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:24
1
There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).
– Jakuje
Feb 22 '17 at 11:28
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:29
1
I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.
– Jakuje
Feb 22 '17 at 11:31
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:38
add a comment |
1
I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:24
1
There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).
– Jakuje
Feb 22 '17 at 11:28
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:29
1
I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.
– Jakuje
Feb 22 '17 at 11:31
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:38
1
1
I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:24
I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:24
1
1
There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).
– Jakuje
Feb 22 '17 at 11:28
There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).
– Jakuje
Feb 22 '17 at 11:28
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:29
Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:29
1
1
I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.
– Jakuje
Feb 22 '17 at 11:31
I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.
– Jakuje
Feb 22 '17 at 11:31
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:38
I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.
– Léo Léopold Hertz 준영
Feb 22 '17 at 11:38
add a comment |
Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.
add a comment |
Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.
add a comment |
Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.
Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.
answered Apr 14 '17 at 6:06
community wiki
Léo Léopold Hertz 준영
add a comment |
add a comment |
Method using pam_ssh + pam_yubico:
http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/
Alternatively:
I am not sure if it is what you need, but Teleport supports U2F
It is open source
answered 14 mins ago
qewghbjhbqewghbjhb
11
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Method using pam_ssh + pam_yubico:
http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/
Alternatively:
I am not sure if it is what you need, but Teleport supports U2F
It is open source
answered 14 mins ago
qewghbjhbqewghbjhb
11
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Method using pam_ssh + pam_yubico:
http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/
Alternatively:
I am not sure if it is what you need, but Teleport supports U2F
It is open source
answered 14 mins ago
qewghbjhbqewghbjhb
11
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Method using pam_ssh + pam_yubico:
http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/
Alternatively:
I am not sure if it is what you need, but Teleport supports U2F
It is open source
answered 14 mins ago
qewghbjhbqewghbjhb
11
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 4 mins ago
answered 14 mins ago
qewghbjhbqewghbjhb
11
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 14 mins ago
qewghbjhbqewghbjhb
11
answered 14 mins ago
qewghbjhbqewghbjhb
11
11
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f346771%2fhow-to-use-yubikeys-with-ssh-keys-in-2-step-verification%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
