- Author
- Leo Vandewoestijne
- Publication date
- Feb 22, 2024
- Updated
- Feb 22, 2024
Tips to improve SSH authentication
Authentication factors
3 common authentication factor categories
The more factors you use, the harder it becomes to access something. Which counts for also for yourself.
However, with security keys this doesn't have to decrease user-friendliness. In fact, the name passkey
is in some cases very accurate naming.
Sometimes even too much ease (when other factors are then suddenly disregarded).
This article will however focus on improving SSH security.
Note: biometry should be deemed complex username
, not a password.
Mind: resetting them is impossible. And to prevent losing them is even more.
KNOW
- PIN code
- password
- passphrase
HAVE
- specific IP address
- specific hostname
- token-by email or SMS
- certificate file
- chip card
- NFC pass
- security key
BE
- fingerprint
- face recognition
- iris scan
- hand scan (finger lengths)
Common SSH authentication
| Server | Client | |
|---|---|---|
 |
 |
|
| ← initiate connection | ||
| provide challenge → | ||
| ← respond challenge, signed with secret key Optional may require passphrase |
||
| verify response, using public key ... | ||
| when matching, permit access → |
Comparison of keys
|
|
|
|
|
|
| fingerprint reader | |||||
| NFC chip | |||||
| WebAuthn | |||||
| FIDO CTAP1 (AKA U2f) | |||||
| FIDO CTAP2 | |||||
| FIDO2 | |||||
| ecdsa-sk | |||||
| ed25519-sk | |||||
| future algorithms | |||||
| signed firmware upgrades | |||||
| ECC p256 | |||||
| ECC p384 | planned | ||||
| ECC p521 | planned | ||||
| NIST FIPS-140 v2 | |||||
| CC EAL6+ | |||||
| Made in | TW | SE & US | DE | your place | your place |
| Price | $69.99 | € 95,- | € 59,- | € 7,50 | € 56,78 |
Comparison Discoverable vs Non-Discoverable
| Discoverable | Non-Discoverable |
|---|---|
• a.k.a. resident keysRKs |
• a.k.a. non-resident keysNKRs |
| • Stored on the security key | • Stored on a computer (or alike device) |
| • Easy to share, for example among a department: | • Still can be shared, but harder to administrate: |
| key can be taken to any compatible workstation, and used to authenticate by touch and FIDO2 PIN |
key cannot be used by unauthorized person without the credential id file, even if the PIN is known. |
| • Ideal for ease of access where the PIN can be shared | • Ideal when privacy is important if key is lost or stolen |
But mind:
You can configure SSH -even per user- to accept X number of certificates.
So, you could combine a regular cert with another cert that works i.c.w. a security key.
Create SK certificates
ssh-keygen -t ecdsa-sk -O resident -O verify-required -O application=ssh:key1 -C key1 -I id_key1
# or
ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:key2 -C key2 -I id_key2
# or
ssh-keygen -t ecdsa-sk -O verify-required -C key3 -I id_key3
# or
ssh-keygen -t ed25519-sk -O verify-required -C key4 -I id_key4
Links
More links
Use security keys to sign Git commits
https://docs.gitlab.com/ee/user/project/repository/signed_commits/ssh.htmlhttps://developers.yubico.com/SSH/Securing_git_with_SSH_and_FIDO2.html
passphrase password photo bike with locks. # ssh -Q Ciphers # ssh -Q PubkeyAcceptedAlgorithms # ssh -Q HostKeyAlgorithms # ssh -Q KexAlgorithms # ssh -Q MAC AllowUser root@4.100.1.111 petpeeve@sudo links: https://www.kensington.com/solutions/product-category/why-biometrics/ https://store.kensington.com/collections/1-biometric-security/products/ verimark%E2%84%A2-guard-usb-c-fingerprint-key-fido2-webauthn-ctap2-fido-u2f-cross-platform https://www.yubico.com/products/yubikey-bio-series/ https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html https://swjm.blog/the-complete-guide-to-ssh-with-fido2-security-keys-841063a04252#e66e https://weisser-zwerg.dev/posts/openssh-fido2-hardwarekey/ https://www.ajfriesen.com/yubikey-ssh-key/ https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html
Example
pre
Example
PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ssh-ed25519,sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519@openssh.com
PubkeyAuthOptions verify-required
Example
AddKeysToAgent yes
ForwardX11 no
IdentitiesOnly yes
ServerAliveInterval 30
TCPKeepalive true
VerifyHostKeyDNS yes
VisualHostKey yes
Ciphers -chacha20-poly1305@openssh.com
#HostKeyAlgorithms -ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com
#KexAlgorithms -ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256
#MACs -umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
#Host *
# ControlMaster auto
# ControlPersist 60s
# ControlPath ~/.ssh/master-%l-%r@%h:%p
Host mgt
Hostname 192.168.111.111
IdentityFile ~/.ssh/id_ecdsa_sk
IdentityFile ~/.ssh/id_ed25519
Host ams.* fra.* nyc.* lax.* sfo.* hkg.* sin.*
Hostname %h.domain.tld
ProxyJump mgt
ForwardAgent yes
IdentityFile ~/.ssh/id_ecdsa_sk
IdentityFile ~/.ssh/id_ed25519
Host srv1 srv2 srv3 srv4
CheckHostIP no
ProxyJump mgt
ForwardAgent yes
IdentityFile ~/.ssh/id_ecdsa_sk
IdentityFile ~/.ssh/id_ed25519
Host srv1
Hostname 4.100.1.53
Host srv2
Hostname 4.100.2.53
Host srv3
Hostname 4.100.3.53
Host srv4
Hostname 4.100.4.53
Example
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAy...etcETCetcETCetc...Bla= key1
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAy...etcETCetcETCetc...Bla= key1 verify-required
Sign git commits using SSH keys
leo@xs.unicycle.net sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVj...etcETCetcETCetc...Bla= key1
leo@xs.unicycle.net sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVj...etcETCetcETCetc...Bla= key1