# OpenSSH login with your FIDO2 usb security key!

## Voltago

Hi all,

I'd like to signal-boost the fact that openssh-8.2 is now in portage with FIDO2 usb security key support (release notes): You can create a public/private key pair that you can use to login remotely only if you have your security token handy. 

[EDIT] Incorporated NeddySeagoon's suggestions, also differentiate between local and remote prerequisites.

[EDIT2] All that udev stuff that was here previously is taken care of now by libfido2-1.3.0-r1. Yay!

Local prerequisites:

Make sure your kernel supports

```
CONFIG_USB_HID=y

CONFIG_HIDRAW=y
```

Local *and* remote prerequisites:

In /etc/portage/package.accept_keywords/

```
dev-libs/libcbor

dev-libs/libfido2

net-misc/openssh
```

or, if you're like me a bit more conservative about ~arch usage:

```
=dev-libs/libcbor-0.5*

=dev-libs/libfido2-1.3*

=net-misc/openssh-8.2*
```

Then install with

```
USE="-X509 security-key" emerge =openssh-8.2_p1-r1
```

Key generation:

Plug in your security key, execute

```
ssh-keygen -t ed25519-sk -a 100 -C <your email> -f <output file>
```

and follow the instructions. Install the resulting key pair like any other, and don't loose that security token.

Caveats:

- As of now, the security-key feature is incompatible with the X509.v3 patch (hence USE=-X509).

- According to the openssh-8.2p1 release notes, there's a no-touch-required option to make it so you don't have to boop your key every time you want to log in. However, I haven't been able to set it up, or even find it properly described in the according man pages, so I'm not sure if it's all there at this point, or perhaps has been stripped out by some patch or other.

- Apparently not all security keys support the ed25519-sk algorithm, however ecdsa-sk should always work for FIDO2 compliant devices.Last edited by Voltago on Wed Feb 19, 2020 12:42 am; edited 10 times in total

----------

## NeddySeagoon

Voltago,

Just a nit or two.

```
/etc/portage/package.keyworks/
```

 is deprecated. It still works but portage will shout at you.

Use 

```
/etc/portage/package.accept_keyworks/ 
```

 and migrate the old file/directory, if you have it.

Do you really want to keyword versions?

=mostly means you won't get updates. Then portage will shout at you if your versions are removed from the repo.

Its not wrong. Maybe that's what you had in mind so you can drop back to stable when stable comes along.

```
dev-libs/libcbor

dev-libs/libfido2

net-misc/openssh
```

gets you ~ARCH versions for whatever your ARCH is.

----------

## Voltago

Neddy,

thanks for the heads-up, wasn't aware of the deprecation (portage isn't shouting at me yet over this, or perhaps isn't shouting loud enough). As for keywording versions, that's what I usually do, as you've pointed out with the expectation that at some point those packages get stabilized and I'll just delete the keywords file. I prefer the occasional portage-shouting-at-me when a version jump comes before stabilization to using ~arch versions indefinitely.

----------

## NeddySeagoon

Voltago,

I'm all testing here, I get to see what's coming.

```
$ emerge -p @system

/usr/lib64/python3.6/site-packages/portage/package/ebuild/_config/KeywordsManager.py:70: UserWarning: /etc/portage/package.keywords is deprecated, use /etc/portage/package.accept_keywords instead

  UserWarning)
```

That's from sys-apps/portage-2.3.89.

I haven't fixed my systems yet :)

----------

## mike155

You may want to read the comments after the LWN article: https://lwn.net/Articles/812537/.

----------

## Voltago

 *mike155 wrote:*   

> You may want to read the comments after the LWN article: https://lwn.net/Articles/812537/.

 

Any particular comment you'd like to draw attention to?

----------

## mike155

 *Quote:*   

> Any particular comment you'd like to draw attention to?

 

The fourth group of comments (started by 'luto') talks about 2FA with U2F/FIDO2 keys. One of the OpenSSL developers (djm) participates. He promises to add support for PIN-protected U2F keys for openssh-8.3, which would be nice.

----------

## Voltago

 *mike155 wrote:*   

>  *Quote:*   Any particular comment you'd like to draw attention to? 
> 
> The fourth group of comments (started by 'luto') talks about 2FA with U2F/FIDO2 keys. One of the OpenSSL developers (djm) participates. He promises to add support for PIN-protected U2F keys for openssh-8.3, which would be nice.

 

Does that refer to PIN entry on a pin-pad USB token, or to the PIN you can assign to your key? In the latter case, I'm not sure what the advantage over using a passphrase for your public/private key pair would be.

----------

