Wednesday, October 23, 2024

How to Use YubiKey and 2FA on Fedora Linux 40/Ubuntu 24.10


SSH, the Secure Shell protocol, is a cornerstone of remote access and administration. While strong passwords are a good start, vulnerabilities can arise. Enter the YubiKey, a hardware security key that adds a crucial layer of two-factor authentication (2FA) to your SSH workflow, significantly enhancing the robustness of your setup.

This guide will walk you through the process of integrating a YubiKey into your SSH infrastructure, empowering you with a highly secure and user-friendly authentication experience.

Before embarking on this journey, let's ensure we have a clear understanding of your current environment. Start by gathering essential information about your Linux desktop (client) and server using the SSH command.

On your desktop, execute the following commands to retrieve system details:

ssh -V
lsb_release -a
    

Next, connect to your server using SSH and run these commands to gather server-specific information:

      ssh linode-emka-01 -- lsb_release -a
ssh linode-emka-01 -- dpkg --list | grep openssh-server
    

These commands provide a snapshot of your system configurations, ensuring you have the necessary prerequisites for integrating the YubiKey.

The YubiKey is a small, portable device that acts as a physical security token. It provides a robust layer of security by adding an extra step to the authentication process. To begin, let's verify the YubiKey's presence and functionality on your system. Connect your YubiKey to a USB port and run the following command:

      lsusb | grep Yubico
    

This command will list the connected USB devices, identifying your YubiKey with its unique vendor and product ID. For example, you might see an output like this:

      Bus 001 Device 022: ID 1050:0407 Yubico.com Yubikey 4 OTP+U2F+CCID
    

To further verify the YubiKey's firmware version, use the lsusb command with the -d and -v options:

      lsusb -d 1050:0407 -v 2>/dev/null | grep -i bcddevice
    

This command will display the YubiKey's firmware version, which is crucial for compatibility with certain SSH key generation methods.

Now, let's create a new SSH key pair that leverages the security features of your YubiKey. Open a terminal on your desktop and navigate to your SSH directory, typically located at ~/.ssh.

The key generation process involves the ssh-keygen command, and it's important to use the correct key type based on your YubiKey firmware version. For older YubiKeys, use ecdsa-sk. However, newer YubiKeys (firmware version 5.2.3 or later) support the more secure ed25519-sk key type.

For instance, to generate an ecdsa-sk key pair:

      ssh-keygen -t ecdsa-sk -f ~/.ssh/linode_bastion_host_id_ecdsa_sk -C "${USER}@${HOSTNAME}_$(date +'%Y-%d-%m')_YubiKey"
    

For an ed25519-sk key pair:

      ssh-keygen -t ed25519-sk -f ~/.ssh/AWS_bastion_host_id_ed25519-sk -C "${USER}@${HOSTNAME}_$(date +'%Y-%d-%m')_YubiKey"
    

These commands generate a key pair, prompting you to provide a passphrase for added security. Remember to choose a strong and memorable passphrase.

It's important to note that older YubiKeys may not support the ed25519-sk key type. If you encounter an error message like "Key enrollment failed: requested feature not supported," it indicates your YubiKey firmware needs an update.

Now, let's install the public key on your server to enable secure access. This process ensures that your server recognizes and trusts your YubiKey for authentication.

Use the ssh-copy-id command to securely transfer your public key file to the server:

      ssh-copy-id -i ~/.ssh/linode_bastion_host_id_ecdsa_sk.pub vivek@linode-emka-01
    

For AWS instances, you can replace the server address and user accordingly:

      ssh-copy-id -i ~/.ssh/AWS_bastion_host_id_ed25519-sk.pub vivek@aws-emka-bastion-elb-001
    

You may be prompted for your server's password during this process.

To complete the integration, adjust your SSH configuration file (~/.ssh/config) to point to your newly generated YubiKey-protected private key:

      Host linode-emka-01
	Hostname 1.2.3.4
	User vivek
	IdentityFile ~/.ssh/linode_bastion_host_id_ecdsa_sk
    

This configuration ensures that SSH automatically utilizes your YubiKey-protected key when connecting to the specified server.

Now, it's time to put your setup to the test. Plug in your YubiKey and attempt to connect to your server using SSH:

      ssh -i ~/.ssh/linode_bastion_host_id_ecdsa_sk vivek@linode-emka-01
    

You'll be prompted to touch your YubiKey to authorize the connection. Once approved, you'll be successfully logged in!

While the YubiKey provides a significant security boost, adding a passphrase to your SSH key enhances your protection further. This creates a two-step verification process: YubiKey authentication followed by passphrase input, making it exceptionally difficult for unauthorized individuals to access your systems.

Even with advanced security measures, accidents happen. To mitigate the risk of a lost or damaged YubiKey, consider purchasing two Yubikeys. Generate SSH key pairs using both keys and install both public keys on your server. This creates a backup key that can be used in an emergency.

No matter how robust your security measures are, having verified backups of your critical data, including your SSH keys, is essential. This ensures that even in the worst-case scenario, you can restore your systems and access your data.

By embracing YubiKey-based SSH authentication, you elevate your system security to a new level. This approach:

  • Adds an extra layer of protection: YubiKey-based 2FA significantly reduces the risk of unauthorized access.

  • Simplifies authentication: With a simple touch, you can quickly and securely authenticate to your server.

  • Offers peace of mind: Knowing your systems are protected by a robust, multi-layered security framework provides peace of mind.

Integrating a YubiKey into your SSH infrastructure is a wise investment in digital security. By combining hardware security with a passphrase-protected SSH key, you create a fortress against potential threats. Remember to maintain backups, regularly update your system, and stay vigilant in the ever-evolving digital landscape. By taking these proactive steps, you can ensure that your valuable data and systems remain secure and accessible only to authorized users.

0 comments:

Post a Comment