The developers of OpenSSH has version 8.2 published their program collection for secure data and file transfer. The most important innovation of the newly available version is the support for two-factor authentication via U2F from the Fido Alliance. U2F stands for Universal Second Factor, an industry standard of the Fido Alliance, the beginnings of which go back to 2009.
The aim of the alliance is to offer a form of two-factor authentication that is as easy to use as possible. A password is not enough to log in, but a hardware token is used as a second factor, for example in the form of a local USB stick. To activate the token for a transaction, the user sometimes even has to touch it to prove its physical presence in front of the computer.
This form of authentication now works with OpenSSH. The program generates the special public key types ecdsa-sk and ed25519-sk together with the supplementary certificate types for the tokens. This is done by the SSH Keygen key generation tool. The user then pushes the key onto the corresponding token. The following example command would generate a key pair: ssh-keygen -t ecdsa-sk -f ~ / .ssh / id_ecdsa_sk,
For attackers, the private key should then be completely useless without access to the hardware token, the announcement says. After generating the key, they can be used with OpenSSH as usual. The only restriction is that the associated hardware token must also be connected to the computer in order to use the keys.
SSH developers point out that Fido tokens must support ECDSA-P256, but hardware support for Ed25519 is less common. Accordingly, not every hardware supports the so-called resident keys or the SSH keygen option –no-touch-required, which makes it possible to bypass touch activation of a token.
Resident Keys for Fido
The resident keys mentioned are part of Fido2, which OpenSSH 8.2 also supports. SSH for U2F usually generates a private key for the computer and one for the token, which remains on the token, i.e. cannot be exported from the USB device. If someone wants to use the token with another computer, he has to copy the private key of computer A to computer B, which is cumbersome.
Resident keys make it possible to generate private keys for a token that can be downloaded directly from the token on another system. The developers also explain how users generate these resident keys and later relate them to other computers in the announcement for OpenSSH 8.2.
SHA-1 is out of date
With reference to the ever better attacks on the hash function SHA-1, the developers now officially describe them as obsolete in OpenSSH. "In the near future the public key signature algorithm key ssh-rsa will be deactivated by default", it says in the announcement. Unfortunately for the developers, the algorithm is still widely used. As an alternative, there have been ECDSA, Ed25519 and RSA-SHA2 for a long time, all of which are already supported by OpenSSH.