SSH authentication with a FIDO2 card

How to use a FIDO2 card for authentication to an SSH server

Before you start:

  • You have a FIDO2 card connected to your desktop
  • Your SSH client and server are updated to support FIDO2 (OpenSSH 8.2 or later).
  • You have administrative access to your SSH server.

Linux and macOS Setup

1. Generate a FIDO2 SSH key

  • Connect your FIDO2 device.

     

  • Open a terminal and use the following command to generate an SSH key:
    ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
  • Follow the prompts, and when asked, touch your FIDO2 device to confirm the key generation.

2. Copy the public key to your SSH server:

  • Use ssh-copy-id to copy the new public key to your server:
    ssh-copy-id -i ~/.ssh/id_ecdsa_sk.pub your_username@your_server
  • If ssh-copy-id is not available, manually append your public key to ~/.ssh/authorized_keys on the server.

3. Connect using your FIDO2 device:

  • Simply connect to your server using SSH:
    ssh your_username@your_server

  • You might be prompted to touch your FIDO2 device to authenticate.

Windows Setup

Setting up SSH with a FIDO2 device on Windows using Windows Subsystem for Linux (WSL) or native Windows with OpenSSH:

1. Enable OpenSSH Client:

  • Ensure the OpenSSH Client is installed and enabled via the “Apps & features” settings (optional if using WSL).

2. Generate a FIDO2 SSH key (using WSL or PowerShell):

  • Open WSL or PowerShell as administrator.
  • Run the same command as for Linux:
    ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

  • Touch your FIDO2 device as prompted to generate the key.

3. Copy the public key to the server:

  • If using WSL, you can use ssh-copy-id as in Linux.

  • From PowerShell, manually copy your public key text to ~/.ssh/authorized_keys on the server or use any SCP too

4. Connect using your FIDO2 device:

  • Open your SSH client (WSL, PowerShell, or PuTTY with FIDO2 support):
    ssh your_username@your_server

  • Authenticate by touching your FIDO2 device when prompted.

Tips

  • Ensure your server’s SSH configuration (/etc/ssh/sshd_config) permits public key authentication and is updated to the latest version supporting FIDO2.
  • For servers not supporting FIDO2, consider using third-party tools or updating the SSH server.
  • Test your setup with a fallback authentication method in case the FIDO2 setup encounters issues.

This guide gives you a general approach to using SSH with a FIDO2 device across different operating systems. Depending on specific setups or device brands, additional steps might be needed.