Ability to support 2FA with FIDO2 (e.g. yubikeys)

[abysso2]

I am securing my ssh access to my bastion host via yubikeys:

1. ssh-keygen -t ed25519-sk -O resident -f ~/.ssh/id_mykey_sk
2. add id_mykey_sk.pub to the .ssh/authorized_keys at myaccount@bastionhost
3. import id_mykey_sk to the keyfiles of webssh
4. configure a ssh session with id_mykey_sk
5. connect to bastion host: webssh asks for the password, but after entering the pw webssh complains that is can not interpret the key

Is there any support planned?

Regards, A.

[isontheline]

Hello @abysso2 👋

Thank you for your issue 👍

I will check how to implement FIDO integration inside WebSSH. I'm adding some links in order to drive my searches :

• https://cryptsus.com/blog/how-to-configure-openssh-with-yubikey-security-keys-u2f-otp-authentication-ed25519-sk-ecdsa-sk-on-ubuntu-18.04.html
• https://www.guyrutenberg.com/2022/04/02/creating-fido2-ssh-keys-using-ssh-keygen/
• https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
• Implementation in Termius :
  • https://support.termius.com/hc/en-us/articles/5618120162457-FIDO2-based-SSH-keys-ed25519-sk-and-ecdsa-sk-
  • https://support.termius.com/hc/en-us/articles/4402453018393
  • https://support.termius.com/hc/en-us/articles/4413353324569-I-can-t-connect-using-an-ed25519-sk-or-ecdsa-sk-FIDO2-key

I can't tell about an ETA, it's not a trivial thing.

[abysso2]

Whooo, that would be a cool thing ... thank you so much!

[BobDenny]

I just found this StackExchange post. Maybe add to your research links. I’m pretty sure the remote systems will need FIDO2 libs for their sshd so yeah this is still bleeding edge!!

[isontheline]

Thank you a lot @BobDenny 🙏

[isontheline]

Adding related to this issue the ability to use Secure Enclave : #1046