Secure SSH with Yubikey

https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
  • Install OpenSSH
  • ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

– t : Specifies the type of key to create. We are using ed25519-sk

– 0 : Specify a key/value option.

resident : Indicate that the key handle should be stored on the FIDO authenticator itself.

verify-required : Indicate that this private key should require user verification for each signature.

  • Copy public key ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@host
  • And finally update SSH server
# Support public key cryptography (includes FIDO2)
PubkeyAuthentication yes
# Enforce User Verification
PubkeyAuthOptions verify-required
# Public keys location
AuthorizedKeysFile .ssh/authorized_keys
# Allow root only with MFA
PermitRootLogin prohibit-password
# Disable password authentication
PasswordAuthentication no
PermitEmptyPasswords no