Friday, May 23, 2025

Secure SSH Authentication with YubiKey using Putty client

 

Introduction

In today's digital landscape, securing access to remote servers is more critical than ever. Traditional password-based authentication poses significant security risks, making hardware security keys like YubiKey an attractive alternative.

This guide will walk you through the process of setting up all the necessary components and establishing an SSH connection to a remote server using a YubiKey for authentication. You'll learn how to configure your system, generate the necessary cryptographic keys, and integrate them with SSH for a seamless and highly secure login experience.

Benefits and Drawbacks of Using a Physical Security Key Like YubiKey

Pros:

  • Enhanced Security – Unlike passwords, YubiKey uses cryptographic authentication, reducing the risk of brute-force attacks and phishing.
  • Hardware-Based Protection – Private keys never leave the device, making them nearly impossible to extract or clone.
  • Ease of Use – Once configured, authentication becomes effortless with a simple touch.

Cons:

  • Initial Setup Complexity – Requires technical configuration, which may be challenging for non-experts.
  • Risk of Loss or Damage – Losing your YubiKey may lock you out unless backup measures are in place.
  • Compatibility Limitations – Some systems and services may not fully support YubiKey authentication.

With these insights in mind, let's dive into the setup process! Happy reading, and enjoy securing your SSH connections with YubiKey!

 

Let’s get started:

 

Download YubiKey Manager

https://www.yubico.com/support/download/yubikey-manager/#h-downloads

 

Install it and run

 

Go to Applications and PIV and then Configure Certificates

Go to Authentication and click Genrate:

Select Algorithm RSA2048

 

 

Download PuTTY-CAC

https://github.com/NoMoreFood/putty-cac

You can download the latest release of PuTTY CAC here: https://github.com/NoMoreFood/putty-cac/releases

Extracts it and run putty.exe

Go to Connection -> SSH -> Certificate, set CAPI Cert to the Self Signed Cert stored on your Yubikey.

 

Go to Connection -> SSH -> Certificate, set CAPI Cert to the Self Signed Cert stored on your Yubikey:

Select "Copy to Clipboard" to grab corrected formatted Authorized Key, add .ssh/authorized_keys

mkdir -p ~/.ssh

nano ~/.ssh/authorized_keys2

#Paste from clipboard and save

chmod -R go= ~/.ssh

You can now authenticate using PIV

 

 

 

at

No comments:

Post a Comment