Using Your YubiKey With SSH and Achieving Multifactor Authentication

In my introductory article, I teased about using SSH with a YubiKey. Here's the post that expands on the idea.

YubiKeys As you can see, I like YubiKeys.

This is part of my #100DaysToOffload series, issue No. 6.

I won't go into much detail as to how to set them up, other people did. Here's the guide I followed. Instead, I just wanted to talk about how cool it is!

First, even if you need to access your server from multiple machines, you only have one public key to authorize. No more "oh no I didn't allow this key, I have to log in with the password instead" (you should have disabled it so it's more "oh no I have to get my other computer to allow this one"). Saving time already ๐Ÿ˜Š

Second, it's portable. More than a laptop. You can even plug it in on a colleague's computer and use it from there without having to compromise your private key or create another pair.

You can also generate/store your private encryption and signature keys for PGP on a YubiKey (Why have separate encryption subkey?, Improve the Security of Your OpenPGP Key by Using Subkeys). That also requires you to plug in the key to decrypt/sign messages hence increasing the security of your setup.

These are features I use every day: my key is plugged pretty much all day on my computer at work since I'm using PGP to sign my commits and SSH to push them on our shared git repo. That's also what I use to log into my Raspberry Pi or this blog's host.

One thing to keep in mind though is that if you lose your key and it's your only access to a remote machine, you may be screwed. Remember to always keep a backup access with an offline key1 or a good old keyboard & screen if you have physical access to your server!

I hope this post helps you see the coolness of these little keys! You can of course use them for 2FA on websites but hey, why not also have 2FA for SSH ๐Ÿ˜‰


  1. "offline key" here means a key pair stored on a device disconnected from internet and that you rarely use if ever. Maybe it's a USB drive in a Swiss safe, maybe it's in your nightstand, whatever. Just keep it offline as much as possible to not defeat the purpose of additional security brought by the YubiKey. For PGP, the certification key should be kept offline as it holds the power to certify other keys to allow them to sign/decrypt. 

Comments

No reaction yet, write your own!


Will be displayed with your comment.

Not mandatory, fill only if you want me to be able to contact you. It will never be displayed here nor shared with any third party.

Your comment, limited to 500 characters. No formatting.

Your comment may not be approved if it's not respectful, on topic or spammy. If you feel I've made a mistake with your comment, please send me a message!