GPG for SSH is not ideal
Traditionally we had to use something like GPG to use SSH with our security keys like Yubikeys, which while worked somewhat it severly limited the number of keys we could use, forcing us to use the same ssh key on multiple systems. GPG Also required additional configuration on the client side making it not so ideal if you wanted ease of use and compatibility or use the built in ssh-agent.
Benefits over using GPG
The main benefits of using this method over using GPG are
- UNLIMITED SSH keys
Since we are using the FIDO2/U2F Protocol isntead of using GPG we van essentially have UNLIMITED SSH keys that are tied to our Security Keys enabling better SSH key management across our systems.
- No Client configuration required
Unlike GPG where we had to do stuff like replace the ssh-agent with these keys NO client configuration is needed apart from the latest ssh software.
Since SSH 8.2, Native support for FIDO/U2F Keys was added making this previously cumbersome process very simple and much more secure with much tighter integration.
- Better Security
This method adds an Additional factor to your authetication chain.
So an attacker would need access to a File (SSH Private Key), a Physical Key (Your Security Key) and a Password (Optional to set but highly recommended) to gain access to any of your systems.
Get Your new keys
SSH keys with the suffix -sk
use FIDO/U2F Devices like Yubikeys to act as a second factor to work, so an attacker would need BOTH your Security Key as well as your SSH Private key to really do anything.
We will be generating ed25519-sk
keys which are based on the ed25519 Elepticle Curve Algorithm.
Check the version of SSH Installed on your system, it should be newer then 8.2
ssh -V
Now Insert your security key and run the following command to generate a new pair of SSH keys
ssh-keygen -t ed25519-sk -f <Keyfile location>
Follow on the onscreen instrctions and enter your securty key PIN and Optionally a Password for our new SSH key for even tighter security.
You may need to touch your key as well after entering the security PIN.
Your new 2FA keys should be ready for use now.
These new keys can be used the same way any other ssh key we would but now everytime we try to use it we will be prompted for out security key for second factor.
Simply add the Public part of your key ( ending with .pub ) to the user’s authorized_keys
file in $HOME/.ssh/
on the server.
NOTE: The server’s sshd
binary needs to be at least at 8.2 too for these keys to work.