SSH and U2F

22 January 2021 security, u2f, ssh

This week: software that unfortunately does not work 😢. When U2F keys were new, Github and Yubi sold them for little to promote this browser supported kind of smartcard security. Plugin the fob, press the button, and a website or program can verify it’s you!

Unfortunately, this didn’t really take off. The primary reason I thought this would be useful is bank logins, but I’ve not encountered one supporting U2F to this date. Github, Google support it as a two-factor option, but require you to first setup a phone two-factor, which I’m not interested in. So, it’s 2021 and I’ve not used my two U2F fobs (one for backup, in case the first breaks!) once…

U2F support in OpenSSH was in the working for a while though, and is now available in most recent-ish distros, like Ubuntu 20.04. See this guide by Stavros. The nice thing is that you can replace your very long and secure passphrase with a tap on the fob. So, let’s see!

$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/brent/.ssh/id_ecdsa_sk
Your public key has been saved in /home/brent/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:MNT80Nh1uhwiB53tPfewLkOX9n1J9pHipUABUpdq2q0 brent@dell7400
The key's randomart image is:
+-[ECDSA-SK 256]--+
|      .+oB.=o .  |
|     .  *.*o.o   |
|      o .o+.+.   |
|       o =.+.o+ .|
|        S o o  *o|
|       . . o..=*.|
|          ..o+*.=|
|         E  oo..=|
|             o  .|
+----[SHA256]-----+

Hurray! But what about those ed25519 keys?

$ ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format

Merde. What’s going on? This Gitlab Issue confirms that some fobs support both, others just the former. Guess I bought mine too soon. A report here confirms: pre yubikey 5 don’t support ed25519. The key I have isn’t a ‘full’ jubikey, it only does U2F, but if memory serves it came out alongside yubikey 4, so that matches the timeline.

Yeah, that Gitlab Issue… Gitlab as of today does not support adding these public keys, so can’t use ’em. Well, what about Github? Nope, “Key is invalid. You must supply a key in OpenSSH public key format”. Yeah, I did that, dipshit. Couldn’t find an Issue (Github isn’t on Github!) to pile on to, but there is a thread on their Community. At least Gitea seems to support them now, but I don’t use Gitea anywhere (would like to, really like the interface!).