The OnlyKey can be used with OpenSSH to provide multifactor authentication for SSH keys
OpenSSH use with OnlyKey
This document describes how to use the OnlyKey as a second factor authentication device with traditional SSH Keys.
The OnlyKey currently only supports
ed25519 keys with OpenSSH.
You must have OpenSSH v8.2 or higher and the necessary prerequisites installed.
You may now generate your SSH keys using
ssh-keygen. Provide any desired optional arguments and you will be prompted to press your OnlyKey and provide an optional passphrase.
$ ssh-keygen -t ecdsa-sk You may need to touch your authenticator to authorize key generation. Enter file in which to save the key (/home/user/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_ecdsa_sk Your public key has been saved in /home/user/.ssh/id_ecdsa_sk.pub The key fingerprint is: SHA256:ECFmaoLZENpq0rLem8HC1F6vTwH1pjsnR6X8l/r54rQ [email protected] The key's randomart image is: +-[ECDSA-SK 256]--+ |o. + oo | |o= + .... | |= =. ... o . | | =. ..+ o | |+o.. . oS+ | |=oo . . + . . | |.o + * o . + | |. o o o o = +.o | | . +.... .oEo. | +----[SHA256]-----+
- Then copy the new public key to your remote hosts.
$ ssh-copy-id -i ~/.ssh/id_ecdsa_sk [email protected] /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "id_ecdsa_sk.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
- And then log in your remote host. You will be prompted to enter your passphrase (if entered during key generation) and asked to press your OnlyKey.
$ ssh -i ~/.ssh/id_ecdsa_sk [email protected] Enter passphrase for key 'id_ecdsa_sk': Confirm user presence for key ECDSA-SK SHA256:ECFmaoLZENpq0rLem8HC1F6vTwH1pjsnR6X8l/r54rQ
FIDO2 Resident Keys
- OnlyKey firmware v2.1.1 or higher is required to use this feature.
Use the following command to generate a key and store it on the device:
$ ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_mykey_sk
Then copy the new public key to your remote hosts.
To view resident keys stored on device use onlykey-cli
$ onlykey-cli credential ls PIN: Relying Party Username Credential ID ----------------------------------------------------- ssh: openssh F6pS8iFTMI9ezUZRMD39pMgC3CMpEwVCq9Y6O8YEc3lNGuMGEOihYhFZYP4ewiPmUpyfS26AIA3LXlwyHIrx4rG/fR67AA==
Follow the install guide here and install “OpenSSH Client”
$ brew install openssh
Ubuntu (20.10 Groovy Gorilla) & Debian (bullseye)
$ apt install openssh-client
$ pacman -S openssh libfido2
$ xbps-install -S openssh openssh-sk-helper