Typing your password when connecting to other computers via ssh is annoying, public/private key authentication is very convenient. Unfortunately, usually your private key is stored in your home directory and can be stolen by somebody who gains access to your data, e.g. by accessing some old backup files.
Storing your private key on a dedicated hardware device like a YubiKey is both very secure and convenient: While the YubiKey is connected to your computer, this works just like a locally stored secret key. If your YubiKey is not connected, you have to type your password when connecting to other hosts via ssh.
The following is a step-by-step tutorial how to use a YubiKey for SSH public key authentication on the theory group cluster. If you do use public/private key authentication in our cluster, please get a YubiKey, connect it to your computer and follow these instructions. Hardware tokens are mandatory for password-less SSH login to our hosts.
First, generate a public/private key pair (the "-sk" indicates that this key uses a hardware security key):
gi32rog@hirado:~$ ssh-keygen -t ed25519-sk -C "SR-yubikey-14Sep23"
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/t30/all/gi32rog/.ssh/id_ed25519_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/t30/all/gi32rog/.ssh/id_ed25519_sk
Your public key has been saved in /home/t30/all/gi32rog/.ssh/id_ed25519_sk.pub
The key fingerprint is:
SHA256:jSjK0pD...
At the point where the computer says "You may need to touch your authenticator..." you need to do just that. (If you have set a PIN for FIDO2, you also have to enter it.) Leave the pass phrase empty. Unlike RSA keys, the file id_ed25519_sk does not contain your (complete) private key, it remains in your YubiKey. (We have been told that on Macs, ssh-keygen needs to be used with sudo for hardware authenticators.)
Then, make the newly generated public key an authorised key for pasword-less SSH login:
gi32rog@hirado:~$ mv .ssh/authorized_keys .ssh/authorized_keys_backup
gi32rog@hirado:~$ cp .ssh/id_ed25519_sk.pub .ssh/authorized_keys
This is all that you need to do!
Now, if I type ssh mintaka with my YubiKey connected, a message "Confirm user presence..." pops up and the YubiKey blinks. After touching the key the login is performed immediately. (Depending on the machine that you connect from, the "Confirm user presence" message might not be displayed, but when the YubiKey blinks, you have to touch it.)
With no YubiKey connected, a message is displayed and the login proceeds in fallback mode by asking for the password:
gi32rog@hirado:~$ ssh mintaka
sign_and_send_pubkey: signing failed for ED25519-SK "/home/t30/all/gi32rog/.ssh/id_ed25519_sk" from agent: agent refused operation
gi32rog@mintaka's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-83-generic x86_64)
...
Some more information can be found at https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
Please report success / failure / suggestions for improvement! CIP admins