YubiKey protected SSH Keys

This is something I've been meaning to try out for a while now but never found the right moment in time to just do it. Just because you have access to an SSH key on a file system, why should that mean you have the right to use it?

Firstly, if you don't know what a YubiKey is then let's catch you up. Its a small device that communicates with your computer or phone via USB/Bluetooth/NFC and enables you to handle Multi Factor Authentication. Best described as:

Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password), something you have (e.g., cryptographic identification device, token), or something you are (e.g., biometric). See authenticator.

In typical MFA use, it's something you know and something you have - your password to a website and a physical device OR a software generated pin. If you haven't already started using MFA via an app that gives you codes (which is called TOTP auth) or via a physical device like a YubiKey then you should get started today. If your password to your favourite online bookshop got leaked through a data breach for example, that password would remain useless to an attacker because they don't have your second part of MFA - something you have - a yubikey or a code from an app.  YubiKey is just a manufacturer of such devices and FIDO/U2F is an open standard which means there are other providers out there - https://solokeys.com/ for example.

My YubiKey is a 5 series and so supports U2F/FIDO2 which means I can use it to protect an SSH key generated with OpenSSH. Keys which would give me access to a client's infrastructure for example, or the key that allows me to pull and push code to GitHub - these keys are extremely powerful in what they give access to but most of us just let them reside on our machines completely open to the possibility of being copied and used maliciously. So I thought it was high time I practiced what I preached and moved my SSH key over to being protected via my YubiKey.

GitHub started supporting this back in May 2021 and honestly it couldn't be easier to start using it - just follow the instructions at https://github.blog/2021-05-10-security-keys-supported-ssh-git-operations/ - you may need to update openssh on your system before being able to do this.

The "ed25519-sk" is the special bit - specifically the "-sk" part.

Press the button on your YubiKey device and you'll get asked where you want to save the private/public keys. I already had a key at /Users/danjenkins/.ssh/id_ed25519_sk so I changed the location for this new key - and you can see a private and public key got generated.

With the resulting public key now available to upload to a SSH server, git server or whatever knows how to accept one of these "new" keys.

Upload that public SSH key to you github account and now, whenever you do a remote operation in Git, like fetching a remote, pulling or pushing you'll be asked for a physical interaction with your YubiKey - much more secure than it ever was before!

Its more annoying than before - there have been a few times where I've done a "git push origin <branchname>" to wonder why a build hasn't started minutes later - realising that I hadn't complied with the new requirement of interacting with my 2FA device but I know this is just a habit that I'll replace soon enough and I know that my both my business' security along with the security of my clients is much better than before.

PS - Did you know you can get all your public keys github knows about by using the url https://github.com/<username>.keys ? Next time someone asks for your ssh key just point them at your github .keys url :) Mine can be found at https://github.com/danjenkins.keys

PPS - You can limit what kind of key is accepted by OpenSSH Server - you can read more about that at https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html

PPPS - Just as I was about to publish this post, Tom Lawrence from Lawrence Systems published a video talking about exactly this so go and watch his video where I'm sure he explains things much better - https://www.youtube.com/watch?v=PjDFk8xdtGw