Thank you for the presentation. Does this work with pure FIDO2 or only with yubikey ? I ask this because there are FIDO2 keys available much cheaper than the Yubikey.
Hi Jonas Markström! I try to configure 3 ways to connect via SSH to my device. I'm able to connect via FIDO2 and OTP. FIDO2 is with my Yubikey Bio and OTP with Yubikey 5. These two protocol work flawlessly... but even if some of my users are configure with match in my config_sshd, # Match User client : Authentification par mot de passe uniquement Match User client AuthenticationMethods password The password authentication doesnt work anymore. I was wondering if you could help me out with this one?
So how do we secure the root account without having to use passwords, because otherwise you still need a password manager ? You probably don't want to allow root access remotely directly. My guess is sudo or su don't have facilities for that ? I was thinking, maybe allow only key-based authentication for the root user from ipv4 localhost and ip6 localhost. And use the outside hostname/ip as a jump host to connect to 'root@localhost' ?
watch at 1.25x speed
Awesome video, Jonas!
Thank you!
Great tutorial, Jonas! How can we add the key to a 2nd backup key too?
Thank you for the presentation. Does this work with pure FIDO2 or only with yubikey ? I ask this because there are FIDO2 keys available much cheaper than the Yubikey.
Hi Jonas Markström! I try to configure 3 ways to connect via SSH to my device. I'm able to connect via FIDO2 and OTP. FIDO2 is with my Yubikey Bio and OTP with Yubikey 5. These two protocol work flawlessly... but even if some of my users are configure with match in my config_sshd,
# Match User client : Authentification par mot de passe uniquement
Match User client
AuthenticationMethods password
The password authentication doesnt work anymore. I was wondering if you could help me out with this one?
How to add a backup yubikey to the same ssh key pair
So how do we secure the root account without having to use passwords, because otherwise you still need a password manager ? You probably don't want to allow root access remotely directly. My guess is sudo or su don't have facilities for that ?
I was thinking, maybe allow only key-based authentication for the root user from ipv4 localhost and ip6 localhost. And use the outside hostname/ip as a jump host to connect to 'root@localhost' ?
Did you look at the PAM module?