How to use YubiKeys with SSH keys in 2-step verification?












2















I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
Two step verification would be very good: password for the private key and Fido U2F verification too.
I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
1-step verification is also weak itself although how long and difficult the password is.
Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



Ticket sent to YubiKey team 22nd Feb 2017



Dear Sir/Madam, 

We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

Best regards,
Leo


OS: Debian 8.7

Hardware: Asus Zenbook UX303UB

Tickets: #2319 (Jakuje)

Fido U2F key: YubiKey 4










share|improve this question





























    2















    I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
    Two step verification would be very good: password for the private key and Fido U2F verification too.
    I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
    My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
    1-step verification is also weak itself although how long and difficult the password is.
    Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



    Ticket sent to YubiKey team 22nd Feb 2017



    Dear Sir/Madam, 

    We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

    Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
    Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

    Best regards,
    Leo


    OS: Debian 8.7

    Hardware: Asus Zenbook UX303UB

    Tickets: #2319 (Jakuje)

    Fido U2F key: YubiKey 4










    share|improve this question



























      2












      2








      2


      2






      I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
      Two step verification would be very good: password for the private key and Fido U2F verification too.
      I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
      My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
      1-step verification is also weak itself although how long and difficult the password is.
      Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



      Ticket sent to YubiKey team 22nd Feb 2017



      Dear Sir/Madam, 

      We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

      Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
      Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

      Best regards,
      Leo


      OS: Debian 8.7

      Hardware: Asus Zenbook UX303UB

      Tickets: #2319 (Jakuje)

      Fido U2F key: YubiKey 4










      share|improve this question
















      I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread.
      Two step verification would be very good: password for the private key and Fido U2F verification too.
      I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login.
      My motivation is that I forget so often my passwords which are very long if used in 1-step verifications.
      1-step verification is also weak itself although how long and difficult the password is.
      Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security.



      Ticket sent to YubiKey team 22nd Feb 2017



      Dear Sir/Madam, 

      We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment.

      Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319
      Thread about the feature request: http://unix.stackexchange.com/q/346771/16920

      Best regards,
      Leo


      OS: Debian 8.7

      Hardware: Asus Zenbook UX303UB

      Tickets: #2319 (Jakuje)

      Fido U2F key: YubiKey 4







      ssh security yubikey fido-u2f 2-factor-authentication






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited May 23 '17 at 12:40









      Community

      1




      1










      asked Feb 22 '17 at 9:53









      Léo Léopold Hertz 준영Léo Léopold Hertz 준영

      1,0481144116




      1,0481144116






















          3 Answers
          3






          active

          oldest

          votes


















          4














          You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



          If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






          share|improve this answer



















          • 1





            I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:24








          • 1





            There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

            – Jakuje
            Feb 22 '17 at 11:28













          • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:29








          • 1





            I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

            – Jakuje
            Feb 22 '17 at 11:31













          • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

            – Léo Léopold Hertz 준영
            Feb 22 '17 at 11:38



















          0














          Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
          I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






          share|improve this answer

































            0














            I am not sure if it is what you need, but Teleport supports U2F



            It is open source





            share








            New contributor




            qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.




















              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "106"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f346771%2fhow-to-use-yubikeys-with-ssh-keys-in-2-step-verification%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              4














              You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



              If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






              share|improve this answer



















              • 1





                I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:24








              • 1





                There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

                – Jakuje
                Feb 22 '17 at 11:28













              • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:29








              • 1





                I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

                – Jakuje
                Feb 22 '17 at 11:31













              • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:38
















              4














              You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



              If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






              share|improve this answer



















              • 1





                I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:24








              • 1





                There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

                – Jakuje
                Feb 22 '17 at 11:28













              • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:29








              • 1





                I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

                – Jakuje
                Feb 22 '17 at 11:31













              • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:38














              4












              4








              4







              You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



              If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.






              share|improve this answer













              You can not use U2F with SSH. There was attempt to implement that two years ago when U2F was something new and fancy, but since that I quite never heard about that and there is no progress in that.



              If you really want it, you can patch your OpenSSH with the patch attached to this upstream bug, but note that it might have some problems, even though it was reviewed by various people.







              share|improve this answer












              share|improve this answer



              share|improve this answer










              answered Feb 22 '17 at 11:11









              JakujeJakuje

              16.3k52953




              16.3k52953








              • 1





                I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:24








              • 1





                There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

                – Jakuje
                Feb 22 '17 at 11:28













              • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:29








              • 1





                I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

                – Jakuje
                Feb 22 '17 at 11:31













              • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:38














              • 1





                I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:24








              • 1





                There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

                – Jakuje
                Feb 22 '17 at 11:28













              • Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:29








              • 1





                I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

                – Jakuje
                Feb 22 '17 at 11:31













              • I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

                – Léo Léopold Hertz 준영
                Feb 22 '17 at 11:38








              1




              1





              I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:24







              I would really increase the priority of the enhancement from P5 to P4 or P3 or even higher because the feature is very essential in security. I am following the ticket. I hope it will be completed soon. - - Do you understand what is limiting its proceeding? Any technical issues?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:24






              1




              1





              There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

              – Jakuje
              Feb 22 '17 at 11:28







              There are different ways to increase security which are standard and implemented in OpenSSH. For the U2F there is nobody from U2F driving that nor from OpenSSH team, therefore it is somehow blocked. What is blocking that is mostly specification (it is not in SSH RFCs and there is no reasonable update).

              – Jakuje
              Feb 22 '17 at 11:28















              Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:29







              Can you please propose somebody in U2F team who I should contact for driving the issue forward? - - So it seems that SSH also has to update for the feature. Who can we contact in OpenSSH team?

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:29






              1




              1





              I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

              – Jakuje
              Feb 22 '17 at 11:31







              I don't know anyone from U2F to drive that. OpenSSH team stated their concerns in the comments.

              – Jakuje
              Feb 22 '17 at 11:31















              I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:38





              I sent a feature request to YubiKey team. I attached it in the body. - - Please, state those comments of OpenSSH team here explicitly shortly.

              – Léo Léopold Hertz 준영
              Feb 22 '17 at 11:38













              0














              Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
              I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






              share|improve this answer






























                0














                Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
                I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






                share|improve this answer




























                  0












                  0








                  0







                  Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
                  I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.






                  share|improve this answer















                  Similar development project about the case supporting YubiKey DB unlock for KeePassX with YubiKeys.
                  I think the project should be completed first before thinking to support the support for SSH because it should be easier for an independent application and much workforce there.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  answered Apr 14 '17 at 6:06


























                  community wiki





                  Léo Léopold Hertz 준영
























                      0














                      I am not sure if it is what you need, but Teleport supports U2F



                      It is open source





                      share








                      New contributor




                      qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.

























                        0














                        I am not sure if it is what you need, but Teleport supports U2F



                        It is open source





                        share








                        New contributor




                        qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                        Check out our Code of Conduct.























                          0












                          0








                          0







                          I am not sure if it is what you need, but Teleport supports U2F



                          It is open source





                          share








                          New contributor




                          qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.










                          I am not sure if it is what you need, but Teleport supports U2F



                          It is open source






                          share








                          New contributor




                          qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.








                          share


                          share






                          New contributor




                          qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.









                          answered 9 mins ago









                          qewghbjhbqewghbjhb

                          1




                          1




                          New contributor




                          qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.





                          New contributor





                          qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






                          qewghbjhb is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                          Check out our Code of Conduct.






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Unix & Linux Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f346771%2fhow-to-use-yubikeys-with-ssh-keys-in-2-step-verification%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              CARDNET

                              Boot-repair Failure: Unable to locate package grub-common:i386

                              濃尾地震