How to use YubiKeys with SSH keys in 2-step verification?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












2















I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
Two step verification would be very good: password for the private key and Fido U2F verification too.
I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
1-step verification is also weak itself although how long and difficult the password is.
Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



Ticket sent to YubiKey team 22nd Feb 2017



Dear Sir/Madam, 

We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

Best regards,
Leo


OS: Debian 8.7

Hardware: Asus Zenbook UX303UB

Tickets: #2319 (Jakuje)

Fido U2F key: YubiKey 4










share|improve this question




























    2















    I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
    Two step verification would be very good: password for the private key and Fido U2F verification too.
    I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
    My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
    1-step verification is also weak itself although how long and difficult the password is.
    Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



    Ticket sent to YubiKey team 22nd Feb 2017



    Dear Sir/Madam, 

    We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

    Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
    Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

    Best regards,
    Leo


    OS: Debian 8.7

    Hardware: Asus Zenbook UX303UB

    Tickets: #2319 (Jakuje)

    Fido U2F key: YubiKey 4










    share|improve this question


























      2












      2








      2


      2






      I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
      Two step verification would be very good: password for the private key and Fido U2F verification too.
      I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
      My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
      1-step verification is also weak itself although how long and difficult the password is.
      Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



      Ticket sent to YubiKey team 22nd Feb 2017



      Dear Sir/Madam, 

      We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

      Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
      Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

      Best regards,
      Leo


      OS: Debian 8.7

      Hardware: Asus Zenbook UX303UB

      Tickets: #2319 (Jakuje)

      Fido U2F key: YubiKey 4










      share|improve this question
















      I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
      Two step verification would be very good: password for the private key and Fido U2F verification too.
      I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
      My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
      1-step verification is also weak itself although how long and difficult the password is.
      Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



      Ticket sent to YubiKey team 22nd Feb 2017



      Dear Sir/Madam, 

      We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

      Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
      Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

      Best regards,
      Leo


      OS: Debian 8.7

      Hardware: Asus Zenbook UX303UB

      Tickets: #2319 (Jakuje)

      Fido U2F key: YubiKey 4







      ssh security yubikey fido-u2f 2-factor-authentication






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 23 '17 at 12:40









      Community

      1




      1










      asked Feb 22 '17 at 9:53









      Léo Léopold Hertz 준영Léo Léopold Hertz 준영

      1,0651144119




      1,0651144119




















          3 Answers
          3






          active

          oldest

          votes


















          4














          You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



          If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






          share|improve this answer


















          • 1





            I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:24







          • 1





            There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

            – Jakuje
            Feb 22 '17 at 11:28












          • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:29







          • 1





            I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

            – Jakuje
            Feb 22 '17 at 11:31












          • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:38


















          0














          Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
          I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






          share|improve this answer
































            0














            Method using pam_ssh + pam_yubico:
            http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/




            Alternatively:
            I am not sure if it is what you need, but Teleport supports U2F



            It is open source






            share|improve this answer

























            • Hi, Welcome, avoid providing external websites, as these links may not valid in future

              – Tejas
              Jan 20 at 6:10










            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "106"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f346771%2fhow-to-use-yubikeys-with-ssh-keys-in-2-step-verification%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



            If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






            share|improve this answer


















            • 1





              I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:24







            • 1





              There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

              – Jakuje
              Feb 22 '17 at 11:28












            • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:29







            • 1





              I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

              – Jakuje
              Feb 22 '17 at 11:31












            • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:38















            4














            You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



            If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






            share|improve this answer


















            • 1





              I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:24







            • 1





              There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

              – Jakuje
              Feb 22 '17 at 11:28












            • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:29







            • 1





              I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

              – Jakuje
              Feb 22 '17 at 11:31












            • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:38













            4












            4








            4







            You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



            If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






            share|improve this answer













            You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



            If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Feb 22 '17 at 11:11









            JakujeJakuje

            16.3k53153




            16.3k53153







            • 1





              I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:24







            • 1





              There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

              – Jakuje
              Feb 22 '17 at 11:28












            • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:29







            • 1





              I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

              – Jakuje
              Feb 22 '17 at 11:31












            • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:38












            • 1





              I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:24







            • 1





              There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

              – Jakuje
              Feb 22 '17 at 11:28












            • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:29







            • 1





              I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

              – Jakuje
              Feb 22 '17 at 11:31












            • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:38







            1




            1





            I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:24






            I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:24





            1




            1





            There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

            – Jakuje
            Feb 22 '17 at 11:28






            There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

            – Jakuje
            Feb 22 '17 at 11:28














            Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:29






            Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:29





            1




            1





            I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

            – Jakuje
            Feb 22 '17 at 11:31






            I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

            – Jakuje
            Feb 22 '17 at 11:31














            I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:38





            I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:38













            0














            Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
            I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






            share|improve this answer





























              0














              Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
              I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






              share|improve this answer



























                0












                0








                0







                Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
                I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






                share|improve this answer















                Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
                I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                answered Apr 14 '17 at 6:06


























                community wiki





                Léo Léopold Hertz 준영






















                    0














                    Method using pam_ssh + pam_yubico:
                    http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/




                    Alternatively:
                    I am not sure if it is what you need, but Teleport supports U2F



                    It is open source






                    share|improve this answer

























                    • Hi, Welcome, avoid providing external websites, as these links may not valid in future

                      – Tejas
                      Jan 20 at 6:10















                    0














                    Method using pam_ssh + pam_yubico:
                    http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/




                    Alternatively:
                    I am not sure if it is what you need, but Teleport supports U2F



                    It is open source






                    share|improve this answer

























                    • Hi, Welcome, avoid providing external websites, as these links may not valid in future

                      – Tejas
                      Jan 20 at 6:10













                    0












                    0








                    0







                    Method using pam_ssh + pam_yubico:
                    http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/




                    Alternatively:
                    I am not sure if it is what you need, but Teleport supports U2F



                    It is open source






                    share|improve this answer















                    Method using pam_ssh + pam_yubico:
                    http://www.ultrabug.fr/hardening-ssh-authentication-using-yubikey-12/




                    Alternatively:
                    I am not sure if it is what you need, but Teleport supports U2F



                    It is open source







                    share|improve this answer














                    share|improve this answer



                    share|improve this answer








                    edited Jan 20 at 5:09

























                    answered Jan 20 at 5:00









                    qewghbjhbqewghbjhb

                    11




                    11












                    • Hi, Welcome, avoid providing external websites, as these links may not valid in future

                      – Tejas
                      Jan 20 at 6:10

















                    • Hi, Welcome, avoid providing external websites, as these links may not valid in future

                      – Tejas
                      Jan 20 at 6:10
















                    Hi, Welcome, avoid providing external websites, as these links may not valid in future

                    – Tejas
                    Jan 20 at 6:10





                    Hi, Welcome, avoid providing external websites, as these links may not valid in future

                    – Tejas
                    Jan 20 at 6:10

















                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Unix & Linux Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f346771%2fhow-to-use-yubikeys-with-ssh-keys-in-2-step-verification%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown






                    Popular posts from this blog

                    How to check contact read email or not when send email to Individual?

                    Displaying single band from multi-band raster using QGIS

                    How many registers does an x86_64 CPU actually have?