openssh 8.2 enables u2f / fido2 tokens

[tigernero]

I am a happy owner of 2 yubico u2f / fido2 keys and the idea of ​​being able to use them to authenticate myself on my ssh session drives me crazy with joy.

on raspbian we are stuck at release 7.9.

when will 8.2 be released on Valentine's Day?

is there a way to manually update raspbian openssh? thanks to who will answer me.

Source:

https://www.openssh.com/txt/release-8.2

[tpyo kingg]

There doesn't seem to be a buster-backports repository for Raspian, and upstream in Debian the buster-backports repository does not seem to have the package OpenSSH-server ... at least not yet.

So that would leave building it from source using apt-src. However, there does not seem to be a source package for it in the Raspbian repository, and the OpenPGP keys are missing from Raspbian for the plain Debian sources. Otherwise it might be possible to drop in the new tar ball and finish the build.

I've tested the FIDO keys on OpenBSD already and it is dreadfully simple to implement. So the hard part will be getting OpenSSH 8.2p into Raspbian.

[tigernero]

I managed to implement u2f/fido at raspbian login and yubico OTP always at raspbian login.

yubico OTP provides online validation with their Server so I can remotely access raspbian by logging in with vnc and yubico top like 2fa.

I have to understand through them Pam libraries how to do for ssh arm.

but with 8.2 read that it would work a bit like public and private key certificates.

[tpyo kingg]

Yes, the instructions in the release notes you link to in your post above work (on systems with OpenSSH 8.2) and are very easy to follow. It is like making a normal SSH key pair except for the key type and the need to touch the hardware token once to finish the process. I can't say about SSH certificates and FIDO but presume that it is like it was before but with similar changes. PAM is better than what was earlier but is still not pleasant or easy or fully standardized.

[Paapaa]

Any progress regarding openssh 8.2 for Raspbian? I'd love to be able to use a ed25519-sk key for ssh connectons. Ie. a key which would require my yubikey to be plugged in for 2FA when connecting.

[fruitoftheloom]

Any progress regarding openssh 8.2 for Raspbian? I'd love to be able to use a ed25519-sk key for ssh connectons. Ie. a key which would require my yubikey to be plugged in for 2FA when connecting.

A lot changes in a year


If you have an ARMv8 Raspberry Pi then you could run Raspberry Pi ARM64 Beta Testing Operating System and as it is based of Debian Buster ARM64 you could use Backports:

https://packages.debian.org/source/bust ... ts/openssh

http://downloads.raspberrypi.org/raspio ... 020-08-24/

[Paapaa]

A lot changes in a year


If you have an ARMv8 Raspberry Pi then you could run Raspberry Pi ARM64 Beta Testing Operating System and as it is based of Debian Buster ARM64 you could use Backports:

https://packages.debian.org/source/bust ... ts/openssh

http://downloads.raspberrypi.org/raspio ... 020-08-24/

Thanks for the tip: it actually worked! I used the Raspios version I already had:

https://downloads.raspberrypi.org/raspi ... 021-01-12/

So no need to reinstall anything. This is what I did:

• added Backports to sources.list file
• added the missing public keys as complained after running apt update using apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [ID] command
• installed openssh-sftp-server/buster-backports (required by openssh-server)
• installed openssh-server/buster-backports
• added the ed25519-sk key to my authorized_keys

And it worked just fine. Ie. I need to have now my Yubikey plugged in and I need to tap it to be able SSH to Raspberry.

[fruitoftheloom]

A lot changes in a year


If you have an ARMv8 Raspberry Pi then you could run Raspberry Pi ARM64 Beta Testing Operating System and as it is based of Debian Buster ARM64 you could use Backports:

https://packages.debian.org/source/bust ... ts/openssh

http://downloads.raspberrypi.org/raspio ... 020-08-24/

Thanks for the tip: it actually worked! I used the Raspios version I already had:

https://downloads.raspberrypi.org/raspi ... 021-01-12/

So no need to reinstall anything. This is what I did:

• added Backports to sources.list file
• added the missing public keys as complained after running apt update using apt-key adv --keyserver keyserver.ubuntu.com --recv-keys [ID] command
• installed openssh-sftp-server/buster-backports (required by openssh-server)
• installed openssh-server/buster-backports
• added the ed25519-sk key to my authorized_keys

And it worked just fine. Ie. I need to have now my Yubikey plugged in and I need to tap it to be able SSH to Raspberry.

Good it worked but as RaspiOS32 is based of Raspbian and a recompiled version of Debian ARMv7 ARMHF, to be compatible with ARMv6 / v7 / V8, using pure Debian can sometimes cause issues due to conflicts with Raspbian packages..


That is why I run RaspiOS64 not RaspiOS32.