SSH access is the primary gateway for managing Linux servers. Although SSH keys are already secure, the risk of private key leakage still exists. To strengthen protection, we can use FIDO2/U2F hardware tokens such as YubiKey. With FIDO2, SSH authentication requires physical interaction with the security device, making remote attacks significantly more difficult. This article discusses SSH authentication methods, the concept of 2FA, YubiKey, and how to configure YubiKey as a FIDO2/U2F-based 2FA on Ubuntu.
SSH Authentication Methods
SSH supports several authentication methods:
- Password Authentication: The simplest method, but also the most vulnerable to brute-force attacks or password theft.
- Public Key Authentication: Uses a pair of public and private keys. More secure than passwords, but if the private key is compromised, server access can still be breached.
- Host-based Authentication: Relies on trust between hosts. Rarely used on public servers.
- Keyboard-Interactive / Challenge-Response: Allows additional methods such as OTP (One-Time Password), enabling integration with 2FA.
As a best practice, sysadmins typically disable password authentication and rely solely on SSH keys. However, adding hardware token-based 2FA such as YubiKey significantly enhances the security layer.
What is Two-Factor Authentication (2FA)?
2FA is an authentication method that uses two different verification factors. Typically, it consists of:
- Something you know → password or passphrase.
- Something you have → a physical device such as a token or smartphone.
- Something you are → biometrics, such as a fingerprint.
With 2FA, even if a private key or password is stolen, an attacker still cannot gain access without the physical device (in this case, the YubiKey).
Understanding YubiKey
YubiKey is a hardware device developed by Yubico that functions as a security key for multi-factor authentication. YubiKey supports various security protocols, including:
- OTP (One-Time Password)
- FIDO2 / U2F
- PIV (Personal Identity Verification)
- OpenPGP
- Challenge-Response
In the context of SSH, YubiKey can be used as a second factor. This means every SSH login requires a physical touch on the YubiKey device.
Installing YubiKey Support on Ubuntu
Ensure your OpenSSH version supports FIDO2 (OpenSSH 8.2 or newer). Then install the required packages:
sudo apt update
sudo apt install libfido2-1 libfido2-dev libu2f-udev -yCheck your OpenSSH version:
ssh -VIf the version is ≥ 8.2, FIDO2 support is available.
Configuring YubiKey FIDO2 for SSH
Insert your YubiKey, then generate a new SSH key:
ssh-keygen -t ed25519-sk -C "user@server"-sk→ indicates the use of a security key (FIDO2/U2F).- You will be prompted to touch the YubiKey to complete the key generation.
- Output: private key (
id_ed25519_sk) and public key (id_ed25519_sk.pub).
Copy the public key to the server:
ssh-copy-id -i ~/.ssh/id_ed25519_sk.pub user@IP-ServerTesting SSH Login
Try logging in:
ssh -i ~/.ssh/id_ed25519_sk user@IP-serverYou will be required to touch the YubiKey before the connection is established.
With FIDO2/U2F, YubiKey adds a physical security layer to SSH authentication. The private key cannot be used without the YubiKey, so even if the key file is stolen, it cannot be used to log in. This method is simpler than PAM-based OTP solutions and more robust because it integrates directly with modern OpenSSH. For sysadmins and security engineers, combining FIDO2-based SSH with disciplined key management is one of the best approaches to protect Ubuntu servers from unauthorized access.
