Open JGoutin opened 5 months ago
sudo dnf install -y pamu2fcfg pam-u2f mkdir -p ~/.config/Yubico pamu2fcfg > ~/.config/Yubico/u2f_keys sudo authselect enable-feature with-pam-u2f
pamu2fcfg package is required only for configuration.
pamu2fcfg
To use the YubiKey as MFA instead of passwordless auth: use with-pam-u2f-2fa instead of with-pam-u2f with authselect.
with-pam-u2f-2fa
with-pam-u2f
Generate and enroll key in Yubikey:
ssh-keygen -t ed25519-sk
Edit /etc/ssh/sshd_config and restart sshd service:
/etc/ssh/sshd_config
PubkeyAcceptedKeyTypes sk-ecdsa-sha2-nistp256@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com
(Check if sk-ecdsa-sha2-nistp256@openssh.com required with ed25519-sk key ?)
sk-ecdsa-sha2-nistp256@openssh.com
Add the public key generated by ssh-keygen to SSH authorized_key as normal.
Load the key in the SSH agent before login (Will ask to tap the Yubikey):
ssh-add id_ed25519_sk ssh user@ip
Local authentication:
SSH authentication:
Local authentication
pamu2fcfg
package is required only for configuration.To use the YubiKey as MFA instead of passwordless auth: use
with-pam-u2f-2fa
instead ofwith-pam-u2f
with authselect.SSH authentication
Client side
Generate and enroll key in Yubikey:
Server side:
Edit
/etc/ssh/sshd_config
and restart sshd service:(Check if
sk-ecdsa-sha2-nistp256@openssh.com
required with ed25519-sk key ?)Add the public key generated by ssh-keygen to SSH authorized_key as normal.
Login
Load the key in the SSH agent before login (Will ask to tap the Yubikey):
Role changes
Local authentication:
SSH authentication: