I have a number of computers on which I've generated a ed25519-sk SSH key all using the same U2F hardware authenticator (yubikey 5C NFC). I'm now in a situation involving three computers: X, Y, and Z. I have physical possession of computer X, along with the U2F key. I am using the U2F key to SSH into computer Y on a VPN. I want to then SSH from computer Y to computer Z, which is not on the VPN but is accessible on Y's LAN. The SSH key on computer Y requires the U2F key to be plugged in to computer Y's USB port in order to be used. However, I am very far away from computer Y and can only plug in the U2F key on computer X. Is there any way I can use that U2F key to, via SSH from computers X to Y, unlock the SSH key on computer Y? There's the SecurityKeyProvider parameter that can override which library is used to interface with U2F keys, but I don't know whether there exists a library that can do what I want.
1 Answers
If you're using the same U2F hardware token, you can copy the private key file from machine Y to machine X, add that key to the agent, and then log into Y with agent forwarding (ssh -A). That's because in order to use a security key-backed key, you need the security key and private key on the same machine.
An ed25519-sk key is generated using a security key and a challenge string, which is randomly generated. The generation process results in a key handle, which is required to be passed to the security key for signature generation, and this is stored in the private key file. The access to the security key generally cannot be forwarded (unless you use something like USB-IP), so you'll need to have the private key on the same machine as the one you've plugged the security key into.
The good news is that the key handle (and hence the private key) of an ed25519-sk key is completely useless without the security key. Thus, there is substantially less risk to storing it on multiple machines, on disk, or on removable media.
- 2,716
- 1
- 7
- 7