SSH authentication with smartcard and Yubikey
New awesomeness of native Security Key support
Around 2019/2020, OpenSSH added support for a new key type, using the familiar pubkey pattern but backed by a FIDO/U2F security key.
A decent excerpt is mentioned here: https://superuser.com/questions/1420840/ssh-authentication-with-fido2-yubico-security-key
The gist of it is that it's new in version 8.2, and I'm sure that'll trickle down into mainstream distros soon enough, though server-side support could be a while coming to something nice like Centos.
A quick rundown of SSH authentication
The short version is that SSH supports multiple auth mechanisms, and I still don't know how they overlap. Enabling UsePAM will pass PasswordAuth and ChallengeResponseAuthentication through the PAM stack.
This isn't even all of the auth mechanisms...
Password: sshd receives the cleartext password from the client to check it, and may or may not talk back to PAM for the auth sequence. Enabled in config with PasswordAuthentication, and in-band it's referred to as password
Challenge-Response: opens a session to the backend auth mechanism, specifically it's an interactive dialogue. Typically it's just asking for a password but the mechanism allows for arbitrarily complex human protocols, eg. requesting an OTP password. Enabled in config with ChallengeResponseAuthentication, in-band referred to as keyboard-interactive
SSH key: verify your identity with a known public key in ~/.ssh/authorized_keys. Enabled in config with PubkeyAuthentication, in-band referred to as publickey
Smartcards and Yubikeys
A Yubikey can act as a smartcard, or as a special yubikey device. That "special" bit suggests that it's best suited to use as a challenge-response auth token, if you don't use it as a smartcard.
Using a smartcard is technically quite boring, though it can be quite fiddly because there's multiple ways to do it. It always hosts a secure private key, and the pubkey component is either a plain pubkey (regular SSH style), or a signed certificate that endorses your identity (SSL client cert style).
The simplest method is probably to use it as a regular SSH key.
I haven't tried using it as a yubikey C-R device, but it'd probably be less fiddly than getting a smartcard to work. It would need a PAM module though.
Using a smartcard
- SSH client will use a key agent to authenticate with the publickey mechanism
- The server will send a nonce to the client, the client needs to sign it with its private key to prove its identity
- The agent normally keeps the private key in memory, backed by the on-disk copy (which may be crypted with a symmetric cipher)
- Instead, the agent will figure out that the private key is on a smartcard, then talks to the smartcard to negotiate the auth-signing action
- This obviously needs a driver, but thankfully we have standards for this sort of thing, which the OS can provide
- The smartcard may demand a PIN to unlock access to the private key, this is handled by the driver, which can prompt the user to enter the PIN
- The agent of course needs smartcard support. Pageant currently does not support this, but there is a third-party version of it that does
Various smartcard links
http://smartcard-auth.de/ssh-en.html (pageant-replacement that Just Works, but isn't quite Free)
https://ilianaw.net/blog/2016/01/ssh-smart-card/ (this one is not bad)
https://en.wikipedia.org/wiki/OpenPGP_card (and now we're getting into applets, another topic for learning...)
https://lwn.net/Articles/618888/ (playing with the Yubikey NEO, which introduced the smartcard functionality)
I think that technically, smartcard function isn't the same as openpgp function. They're two different ways of talking to the card and getting stuff done, and both can do roughly the same set of realworld stuff. Smartcard is older and well established, but also more complex and enterprise-y. Openpgpcard is probably simpler and nicer.