Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting our team. We will be in touch shortly.Close

  1. Blog
  2. Article

Joshua Powers
on 4 May 2020

Enhanced SSH and FIDO authentication in Ubuntu 20.04 LTS

20.04 LTS Identity Management Security Server

This article originally appeared on Joshua Powers’ blog

One of the most exciting security enhancements in Ubuntu 20.04 LTS (Focal Fossa) is the ability to use the Fast Identity Online (FIDO) or Universal 2nd Factor (U2F) devices with SSH. By using a second authentication factor via a device, users can add another layer of security to their infrastructure through a stronger and yet still easy to use mechanism for authentication. Ubuntu 20.04 LTS includes this feature out of the box through the latest version of OpenSSH 8.2

For users, once keys are in place only a tap of the device is required to log in. For administrators looking to use FIDO or U2F on the server side all that is required is a version of OpenSSH server, 8.2 or newer, that supports the new key types. 

The new public key types and certificates “ecdsa-sk” and “ed25519-sk” support such authentication devices. General handling of private and public key files is unchanged; users can still add a passphrase to the private key. By using a second factor the private SSH key alone is no longer enough to perform authentication. And as a result a compromised private key does not pose a threat.

The following section demonstrates how users can generate new key types and use them to perform authentication. First, users have to attach a device to the system. Next, they need to generate a new key and specify one of the new types. During this process users will get prompted to tap the token to confirm the operation:

ubuntu@focal-openssh-client:~$ ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator 
to authorize key generation.

Enter file in which to save the key 
(/home/ubuntu/.ssh/id_ecdsa_sk):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in 
/home/ubuntu/.ssh/id_ecdsa_sk

Your public key has been saved in 
/home/ubuntu/.ssh/id_ecdsa_sk.pub

Users can then confirm whether the new private and public keys were created:

ubuntu@focal-openssh-client:~$ l .ssh/id_ecdsa_sk*
-rw------- 1 ubuntu ubuntu 610 mar 30 17:58 .ssh/id_ecdsa_sk
-rw-r--r-- 1 ubuntu ubuntu 221 mar 30 17:58 .ssh/id_ecdsa_sk.pub

To use these keys all a user needs to do is copy the keys as they would do normally, using ssh-copy-id . This is done by ensuring the public key is added to ~/.ssh/authorized_keys file on the system they wish to connect to.

To log in to a device using the keys, a user can execute the following command:

ubuntu@focal-openssh-client:
~$ ssh -i .ssh/id_ecdsa_sk 10.0.100.75

Confirm user presence for key ECDSA-SK 
(...)
Welcome to Ubuntu Focal Fossa (development branch) 
(GNU/Linux 5.4.0-18-generic x86_64)
(...)
Last login: Mon Mar 30 20:29:05 2020 from 10.0.100.1
ubuntu@focal-openssh-server:~$

The prompt to confirm a user’s presence will appear and wait until the user touches the second factor device.

At the time of writing this post, there is a problem with displaying the prompt when using GNOME. Please refer to the Launchpad bug for more information about the expected fix date.

Download Ubuntu 20.04 LTS (Focal Fossa).

Related posts

Lech Sandecki
26 October 2023

Running OpenSSL 1.1.1 after EOL? Stay secure with Ubuntu Pro.

Ubuntu Article

A few months ago, the OpenSSL Project announced the end of life of OpenSSL 1.1.1. It is used by thousands of software components included in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS, with many organisations relying on version 1.1.1. Rest assured that the Ubuntu security team will continue to maintain important security fixes in OpenSSL ...

Massimiliano Gori
16 September 2024

Announcing Authd: OIDC authentication for Ubuntu Desktop and Server

Ubuntu Article

Today we are announcing the general availability of Authd, a new authentication daemon for Ubuntu that allows direct integration with cloud-based identity providers for both Ubuntu Desktop and Server. Authd is available free of charge on Ubuntu 24.04 LTS. At launch, Authd supports Microsoft Entra ID (formerly Azure Active Directory) ident ...

Aaron Whitehouse
30 August 2024

Integrating the Ubuntu Snapshot Service into systems management and update tools

Cloud and server Article

Ubuntu recently released a snapshot service to use the archive as it was at a point in history. This article explains how to integrate this into systems management or update tools. ...