As the title says.
We use ssh to connect to many sites and would like to move to use FIDO2/webauthn for authentication.
Is this possible? What tools do we need?
We are using ubuntu as the client and server.
You can achieve FIDO2-like multi-factor authentication when ssh'ing into a server if you combine a FIDO2-compatible security key with ecdsa-sk keys. The trick is to generate a new keypair with the ecdsa-sk (the "sk" is for "security key") and the flag that requires you to enter the security key's PIN as well:
$> ssh-keygen -t ecdsa-sk -C <email address> -O verify-required
Enter your security key's PIN when prompted, then skip the prompt to password-protect the keypair (the security key and its PIN will protect its use instead). Finally, specify the absolute file path to save the keypair to.
You'll end up with a private key and public key as you'd expect. Add the .pub file to https://github.com/settings/keys as an authentication key, then update ~/.ssh/config to tell it to use the corresponding private key:
Host github.com
IgnoreUnknown UseKeychain
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/name-you-gave-keypair-here
To test that everything is working fine, you can attempt to ssh into GitHub:
$> ssh -T git@github.com
You should see something like this:
Hi UsernameHere! You've successfully authenticated, but GitHub does not provide shell access.
And there you have it - security key-backed multi-factor authentication for your SSH connections.
One last thing, you'll need to be using at least OpenSSH 8.2 on both server and client side as it's the earliest version that support ecdsa-sk keypairs.