Foxlines381

1. U2f Ssh
2. Fido Ssh Login
3. Markus Friedl Openssh

SSH Authentication with a Feitian ePass NFC/FIDO/U2F Security Key # Feitian ePass NFC FIDO U2F Security Key can work as a Generic Identity Device Specification (GIDS) smart card. There are also many other manufacturers and card models to which these instructions can be applied, but the specific tools to initialize the card can be different.

These are my notes (mostly for myself!) on getting SSH authentication through GPG under a variety of Windows 10 environments like native SSH (see c:windowssystem32openssh*), Windows Subsystem for Linux (WSL) and minGW / GIT Bash. Why? So you have a single, GPG based identity on a secure, removable hardware key store like a OpenPGP card (e.g. Yubikey 5) and your SSH keys are based off that GPG identity. No naked RSA SSH keys floating around on disk.

This document does NOT cover generating the GPG keys or moving the GPG profile and keys to the Yubikey. If you want that, see this.

NOTE: Everywhere here, replace sid with your username as appropriate e.g. c:Userssid becomes c:Users<yourusername>

Overall idea

• If securing your devices has been something you’ve wanted to easily do yourself, read on, becauseUsing FIDO2 with SSH. Deanna had heard of phishing, and was extremely suspicious of the sound of.
• Krypton implements the standardized FIDO Universal 2nd Factor (U2F) protocol to provide secure, un-phishable two-factor authentication on the web, using just your phone. End-to-end Secure. Krypton is built on top of an end-to-end verified and encrypted architecture. This means zero trust. We, Krypt.co, cannot access your keys or see where you.
• Alternately, if you're using the latest OpenSSH (8.2), there's built-in support for FIDO security keys, and the SSH agent should know how to handle them. If you use Debian's libpam-ssh-agent-auth on the server, then you can authenticate with your FIDO2 ssh key via your forwarded agent.
• One of the most exciting security enhancements in Ubuntu 20.04 LTS (Focal Fossa) is the ability to use the Fast Identity Online (FIDO) or Universal 2nd Factor (U2F) devices with SSH. By using a second authentication factor via a device, users can add another layer of security to their infrastructure through a stronger and yet still easy to use mechanism for authentication.

The core idea is to install and setup gpg natively on Windows 10. We use gpg-agent to perform SSH authentication via the pageant protocol. So we’ll be building bridges (via sockets and named pipes) to make those cross-environment connections. The complexity comes from the fact that the ends of those bridges (sockets and named pipes) are incompatible, the openssh(=non-pageant) ssh authentication protocol is unreliable and there are multiple SSH installations in most cases.

Windows 10 setup

I actually already had gpg4win but it simply wouldn’t prompt me for the GPG PIN i.e. authentication failed no matter what I tried. After struggling for a day with this, I uninstalled it completely and started fresh. In addition to having your private key on the YubiKey, it is highly recommended you have an air-gapped or offline backup of your public and private keys.

1. [Optional] Uninstall gpg4win and then delete the c:Userssid.gnupg and C:UserssidAppDataRoaminggnupg folders.
2. Install gpg4win (download)
3. Re-import your GPG public key and private key into GPG per this guide. The actual private key stays on the OpenPGP card, just a link to it is imported into GPG.
4. Edit %APPDATA%gnupggpg-agent.conf to have
   enable-putty-support
5. Download WSL-SSH-Pageant and install it somewhere e.g. C:toolswsl-ssh-pageant
6. Start the bridge on the Windows side by
   C:toolswsl-ssh-pageantwsl-ssh-pageant-amd64-gui.exe -systray -verbose -wsl C:toolswsl-ssh-pageantwsl-ssh-agent.sock
7. Start Windows’ GPG agent by the following powershell command
   & 'C:Program Files (x86)GnuPGbingpg-connect-agent.exe' /bye

Automating it

U2f Ssh

To start the above bridge automatically at startup, do this:

1. Open C:UserssidAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
2. Put one shortcut that runs 'C:Program Files (x86)GnuPGbingpg-connect-agent.exe' /bye
3. Put another shortcut that runs 'C:toolswsl-ssh-pageantstart wsl-ssh-pageant.bat'
4. create a file C:toolswsl-ssh-pageantstart wsl-ssh-pageant.bat which has the following. This ensures that a permanent terminal window isn’t kept dangling

If you don’t have the newer cross platform PowerShell (pwsh) used in the above command, install it from here (preferred) or use the older powershell.exe.

SSH auth in WSL

This routes WSL’s SSH authentication across to GPG’s SSH agent using the bridge we setup earlier

1. Issue this command in a WSL terminal
   export SSH_AUTH_SOCK=/mnt/c/tools/wsl-ssh-pageant/wsl-ssh-agent.sock
2. test with something like ssh sid@lab-linux13-ubuntu18. You should see a GUI PIN prompt on the Windows 10 side

Automating it

Open a WSL terminal, edit ~/.profile file to add

SSH auth in Windows 10

Windows 10 now ships with a native OpenSSH client that lives in c:windowssystem32openssh. If you just want to open a command prompt or powershell window and ssh away, this is for you.

1. Run $env:SSH_AUTH_SOCK='.pipewinssh-pageant' in powershell
2. test with something like ssh sid@lab-linux13-ubuntu18. You should see a GUI PIN prompt on the Windows 10 side

Make GIT use SSH + GPG

Chances are you also want to be able to issue a git command in a regular windows terminal for your work e.g. git fetch. The issue is there are two SSHs even in the pure native Windows 10 side. One in c:windowssystem32openssh and the other installed by GIT at C:Program FilesGitusrbin – and GIT will use it’s version and not the version we just setup above.

Fido Ssh Login

To fix that, open a Windows Powershell terminal and type $env:GIT_SSH='C:Windowssystem32OpenSSHssh.exe' and then test it works by issuing git fetch from a suitable git repository (make sure the GIT repo has your corresponding SSH key registered). If all works, you should see the PIN prompt.

Automating it

1. Windows 10 Start Button -> type environment variables -> Edit environment variables for your account -> User variables for sid -> New
2. Name = SSH_AUTH_SOCK and value = .pipewinssh-pageant -> Ok
3. Repeat with Name = GIT_SSH and value = C:Windowssystem32OpenSSHssh.exe -> Ok

SSH auth in Git-Bash (mingw)

When you install git for windows, you get a bash shell that’s based off “Minimalist GNU for Windows” – a minimalist development environment for Windows. GIT runs within that.

1. Run eval $(/usr/bin/ssh-pageant -r -a '/tmp/.ssh-pageant-$USERNAME')
2. test with something like ssh sid@lab-linux13-ubuntu18. You should see a GUI PIN prompt on the Windows 10 side

If you’re using SourceTree, switch to putty SSH authentication and

Automating it

Just add the following to your git-bash’s ~/.bashrc or .profile file

WSL setup for running GPG

If all you care is SSH on WSL using gpg-agent on Windows, then the SSH auth bridge setup above is all you need. You do not need this additional bridge. But if you want to use the gpg binary within WSL (e.g. encrypting files), then you need another bridge to handle the gpg communications into the Windows world.

1. Download npiperelay (link) with GPG support and unzip it to something like c:toolnpiperelaynpiperelay.exe
2. install socat by sudo apt install socat
3. in WSL run (it’s all one line)
   socat UNIX-LISTEN:'$HOME/.gnupg/S.gpg-agent,fork' EXEC:'/mnt/c/tools/npiperelay/npiperelay.exe -ei -ep -s -a 'C:/Users/sid/AppData/Roaming/gnupg/S.gpg-agent',nofork
4. Test by running gpg --card-status in WSL, it should work

Automating it

Add the following to the end of your WSL’s ~/.profile file

Ending comments – Yubico and the state of the ecosystem

Overall, I’m rather disappointed with the quality of software and how they all (don’t) interoperate smoothly. I also contacted Yubico to see if they had any internal documentation since external documentation about this was sparse. Astonishingly their just sent back unrelated links to 3rd party blog posts. If git for Windows, OpenSSH, and GPG don’t work well out of the box, Yubico should be stepping up and providing guidance to smooth that journey since they’re selling security devices that are heavily dependent on that ecosystem.

Troubleshooting

Windows 10’s default OpenSSH authentication agent was disabled but it is unclear if this is a necessary requirement.

Start button-> Services -> OpenSSH Authentication Agent -> Stop

OpenSSH is, by far, the single most popular tool for logging into remote servers and desktops. SSH logins are generally considered fairly safe, but not 100%. If you’re not satisfied with the out the box security offered by OpenSSH, you can always opt to go with SSH key authentication. If that’s not enough, there’s always 2 Factor Authentication, which would then require you to enter a PIN generated by an application such as OTPClient or Authy.

As of OpenSSH 8.2, there’s a newly supported option, FIDO/U2F security keys. What this means is that you can now use 2FA hardware keys (such as the Yubi Key) to authenticate your SSH login attempt.

2FA is often considered the easiest method of adding an additional layer of security to SSH logins. However, for many, Hardware Keys are considered the single most secure means of preventing hackers from brute-forcing your SSH passwords. To make things easy, the OpenSSH developers have made it possible to generate a FIDO token-backed key using the ssh-keygen command. So anyone used to creating SSH keys shouldn’t have any problem getting up to speed with integrating hardware keys into SSH.

Markus Friedl Openssh

To gain this feature, make sure you’ve upgraded to the latest OpenSSH release (8.2 or newer).

Original news release: http://www.openssh.com/txt/release-8.2