SSH with FIDO/U2F

Since OpenSSH Version 8.2 FIDO/U2F is supported.
Type this into your terminal

1

ssh -V

to find out the version of the SSH installation.
To enhance SSH with FIDO/U2F, in this example with a Yubikey #Ad or with the cheaper Yubikey FIDO #Ad, the following steps are required:

Create new private and public keys with the option -t ed25519-sk and with the option -f id_ed25519_sk write it into a file in the local SSH directory.
During this process the Yubikey #Ad gets “married” with the private key.

1

ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk

If multiple Yubikeys #Ad are used, which is recommended, this procedure needs to be repeated with every Yubikey #Ad.
To differentiate the identical looking Yubikeys #Ad I use colored key fobs #Ad for example black and white.
The files of the private and public key get named to match the color of the key fob.
In this example id_ed25519_sk_black and id_ed25519_sk_black.pub.

1
2

ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk_black
ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk_white

You need to add the public keys into the file authorized_keys in the SSH directory of the used user e.g. /root/.ssh/authorized_keys at the target system.

To make your life easier with multiple Yubikeys #Ad you can configure SSH connections like so:

In the home directory create a file with the following content:

~/.ssh/config

1
2
3
4
5
6
7
8
9

Host host1.example.local
    IdentitiesOnly Yes
    IdentityFile ~/.ssh/id_ed25519_sk_black
    IdentityFile ~/.ssh/id_ed25519_sk_white

Host host2.example.local
    IdentitiesOnly Yes
    IdentityFile ~/.ssh/id_ed25519_sk_black
    IdentityFile ~/.ssh/id_ed25519_sk_white

If this article was helpful I would be happy to receive a coffee. Thank you very much!
This article contains affiliate links to monetize my work.
As an Amazon partner I earn from qualified sales.