Solved Yubikey setup SSH FIDO 2 on 2 VMs - Password is still prompted

[Relictrix]

Hi all,

This is my current setup, my host is a Windows machine where 2 VMs are installed. VM2 (192.168.56.103) will have ssh installed with FIDO2 using a Yubikey. And the VM1 (192.168.56.102) will need to connect to VM2 via SSH. Both VMs have a FreeBSD OS installed.

Preparation of VM2:
- Update the OS to latest version so the latest version of SSH is present.
- Install libfido2 shared library, u2f-dev rules, and askpass utility (OpenSSH FIDO runtime dependancies):
- pkg install u2f-devd
- pkg install libfido2
- pkg install py39-fido2
I am not 100% sure anymore these were the once that are needed as I also installed: pkg install yubikey-manager-qt, and this includes a whole bunch of things.
- Add to group:
pw group mod u2f -m user1
- Reboot
- Connect to VM2 and check : fido2-token -L
- Next create the private and public key: ssh-keygen -t ed25519-sk
- Copy public key to vm1:
- ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user1@192.168.56.102

Conclusion:
Everything seems to work fine but:
- Ssh prompts me still for a password
- Yubikey is not checked, i don't need to push the key to pass access, after the password is provide I am connected.

Thanks in advance for your advise.

 

[sko]

- Next create the private and public key: ssh-keygen -t ed25519-sk
- Copy public key to vm1:
- ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user1@192.168.56.102

So you are creating a ssh keypair and copy its public fingerprint to the other host.

Then what should the yubikey have to do with ssh logins?


I suspect you want to use the GPG AUTH key on the yubikey for ssh login? In this case you have to use gpg-agent with --enable-ssh-support and import the keys from your yubikey to the local keyring.

FIDO2 is only used for web-based logins AFAIK, so this has nothing to do with SSH logins. There may be a PAM module for that, but I'd just go for the standard 'gpg-agent --enable-ssh-support' as it requires no extra configuration on the server side.

 

[Relictrix]

Oh, I see. The way I understood it , and maybe i understood wrongly, is that the key will have to be tapped to enter the ssh session via the private certificate that is also on the key. And I thought FIDO2 is a good way to authenticate.

I intentionally avoided GPG, which I know as well, as I needed a extra gpg-agent etc.

But you mean that the way I use FIDO2 is not really how it should.

I started reading this: https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html , seems it's possible no? (I am just beginning with this FIDO2 setup)

Reading the link again I notice they say this (at the very bottom):
2. Copy the id_ecdsa_sk file and id_ecdsa_sk.pub from step 4 in the previous instructions to the` ~/.ssh` folder on the new local system.

I did not copy the ecdsa_sk file, only the pub.

Thanks for your quick reply by the way.

 

[sko]

I started reading this: https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html , seems it's possible no? (I am just beginning with this FIDO2 setup)

I wasn't aware that this is a thing now...

TBH I stopped fiddling around with the yubikey-specific functions/services several years ago as they had quirks everywhere, weren't really useful on many ends and constantly broke - I just use my yubikey as a simple smartcard with GPG-keys and use them for encyption, singning and authentication where possible (e.g. password-store, ssh, mail...).
For SSH nowadays it's as simple as importing the keys from your yubikey to the local keyring and running gpg-agent with the '--enable-ssh-support' option. Now ssh will try to connect using the auth key on the smartcard and (if set) asking for the keys password once for the configured cache-ttl. Have been using my yubikey NEO since 2018 like that and the only problems are the occasional regressions in gnupg like recently with version 2.3.8 where the gpg-agent breaks with ssh [1]


[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267858

 

[Relictrix]

Aha i see, instead of asking question, I learned somebody something as well .

Quiet recently I found that Yubikey went from open source to close source. I found that disappointing, I thought this key, this company and everything behind it was open.

Gosh I think i found the problem, will post the summary in a minute.

 

[Relictrix]

This is my current setup, my host is a Windows machine where 2 VMs are installed. VM2 (192.168.56.103) will have ssh installed with FIDO2 using a Yubikey. VM1 (192.168.56.102) is another empty VM having FREEBSD installed, also VM2 has FreeBSD OS installed.

Preparation of VM2:
- Update the OS to latest version so the latest version of SSH is present.
- Install libfido2 shared library, u2f-dev rules, and askpass utility (OpenSSH FIDO runtime dependancies):
- pkg install u2f-devd
- pkg install libfido2
- pkg install py39-fido2
I am not 100% sure anymore these were the once that are needed as I also installed: pkg install yubikey-manager-qt, and this includes a whole bunch of things.
- Add to group:
pw group mod u2f -m user1
- Reboot
- Connect to VM2 and check : fido2-token -L
- Next create the private and public key: ssh-keygen -t ed25519-sk
- Copy public key to vm1:
- Make sure the yubikey is inserted!
- ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user1@192.168.56.102
- Connect to vm1:
- vim ~/.ssh/authorized_keys
- Change DNS name user1@vm2 at the very end to user1@192.168.56.103

Behavior:
Everything seems to work fine:
- Ssh prompts me still for a password
- Yubikey is not checked, i don't need to push the key to pass access, after the password is provide I am connected.

What was wrong?
Nothing was really wrong, I thought that I was about to connect from VM1 to VM2 tapping the Yubikey. But it seems that it's the opposite way, I did not realize I was setting up a SSH connection for VM1 from VM2. I thought I was setting up a connection from VM1 to VM2.

So when going to VM2:
ssh user1@192.168.56.102 (=VM1)

Then it's asking confirm user presence, it asks to tap the key. And when tapping it I am in the VM1 without a password.

 

[twschulz]

Seems like you got things sorted, but I can also mention that there is a GIST here for FreeBSD, Yubikey, FIDO2 and PKCS11. I've used it and managed using it with success as well.