simple steps to get an extra layer of security on your ssh connection with a yubiKey and the challenge response and no server side tweaking
This sounds easy but 2 things are needed.
STEP1 check your needs to get this working
need 1 ssh version 8.2 or higher
need 2 firmware on yubikey 5.2.3 or higher
check for need-1 (ssh version / both sides host and target)
ssh -Vcheck for need-2 (firmware yubikey)
lsusb -v 2>/dev/null | grep -A2 Yubico | grep "bcdDevice" | awk '{print $2}'STEP-2 install libfido2-dev
apt install libfido2-devSTEP-3 generate key (part of the new key, derived from a challenge response with the fidou2f will be on the hardware yubikey, so therefore you need to touch the key during this operation as asked)
ssh-keygen -t ed25519-sk -C "yubikey007"STEP-4 copy the generated public key to the remote host
ssh-copy-id remote_username@remote_server_ip_addressStep-5 ssh in the remote server using the ssh key (and you will get prompted for the challenge response) that means you have to plug in the yubikey and touch it. The magic happens. Have fun!
Be aware ( if you dont’t have the (yubi)key your are not able to log in, also a backup of your SSH key is not working, because of the challenge response its just 1/2 of the ssh-key) If you want to have multi factor auth (not 2FA) on your ssh connection set a password when you generate the ssh-key. Remember if you destroy the hardware key, ore loose it the login is not possible, so be prepared for that scenario. Its a hostile world be prepared to fight.
Maybe these Links will cover some more information:
https://islba.co.at/easier-life-with-custom-ssh-config-file/
https://islba.co.at/disabling-ssh-password-authentication/
https://islba.co.at/4-step-setup-ssh-login-without-password/