Product Documentation

    Linux OpenSSH

    The following section describes how to configure OpenSSH on Rocky 9.1 - Rocky 10.1 Linux with a Yubikey 5 NFC FIPS.

     

    1. The Linux machine will need libfido2 and openssh installed. This document will be using a RHEL 9 machine, which already has libfido2 and openssh installed. With the Security Key inserted, run this command in the terminal: 
      shell> ssh-keygen -t ecdsa-sk

      It will ask you to touch the Security Key.
    2. After touching the Security Key, it may ask you to input its User PIN.

    3. Input the User PIN and press enter on the keyboard. The program will then prompt you to touch the Security Key again.

    4. After touching the Security Key for the second time, you will be asked where to save the key. By default, it will be in the .ssh/ folder located in the current user’s home directory. This document will be using the default setting for this step.

    5. The program will then ask the user to input a password for the key that is about to be generated.

    6. After inputting an appropriate password, the terminal should look like this.

    7. After generating the key pair, the server must be configured to accept the public key from clients attempting to connect via ssh. Go to the .ssh directory and use this command: 
      shell> cat id_ecdsa_sk.pub >> authorized_keys
    8. This document is using the default name and location of the public key that was generated, so replace “id_ecdsa_sk.pub” with the location and name of the public key if anything was done differently. Now restart sshd on with this command: 
      shell> sudo systemctl restart sshd
    9. Copy “id_ecdsa_sk” and “id_ecdsa_sk.pub” to the .ssh/ folder of another machine running RHEL 9 or Rocky 9. Run this command in the terminal:
       
      shell> chmod 600 id_ecdsa_sk
    10. Then put the Security Key into that machine and run this command in the terminal: 
      shell> ssh-add
      This may require you to touch the Security Key.

      If your keypairs are named differently then you can use this to add it instead 
      ssh-add privateKey
      Differently named keypairs can be used to manage multiple Security Keys. You will also have to specify the private key when using ssh if it is named differently. 
      shell > ssh -i privateKey username@ip
    11. Now when you attempt to ssh into the remote server, it should prompt you to use the Security Key to log in.