🔑 Using Secure Keys for GitHub SSH Operations
In this post on using FIDO U2F for GitHub SSH we see how you can set up secure keys for pushing code update to your GitHub repositories. git offers version tracking and assists collaboration on coding projects. GitHub is currently the best know service offering git repo hosting. The recent rise of the JAMStack and other trends have made committing code to a git service an essential stage in the continuous integration process.
Authentication technology has also moved on as signing in with SSH passwords got replaced with using PGP keys. Taking it a step further, you can now use FIDO U2F secure keys to authenticate SSH transactions. The added security advantage is that the USB key has to be with you physically when you commit. In this post we look at how you can set up secure keys for GitHub and also some SSH configuration settings. I hope this is something you will find useful.
😕 What is FIDO U2F?FIDO U2F keys are hardware tokens used in Multifactor authentication. Like 2FA authenticator app codes, they offer second factor authentication (2FA) though FIDO U2F keys are less susceptible to phishing attacks than those authenticator app codes. As an example of when you might use FIDO U2F keys, you can harden your Twitter, gmail and Facebook or even GitHub account by enabling FIDO U2F and using that as your preferred login method. Typically you plug in the USB key as you log in and have to tap it to complete the login. We'll see here how using FIDO U2F for GitHub SSH can secure your push and fetch operations.
⚙️ How to Create an SSH Secure Key for GitHub
Using FIDO U2F for GitHub SSH
- You can use an existing FIDO U2F key but if you don't yet own one you will need to buy one. YubiKey make a number of keys some of them much more expensive than others. The basic and relatively inexpensive Security Key models are fine to use here. You can also use other brands.
- Check you have a compatible version of OpenSSH installed by running the command:You will need version 8.2 or higher. On macOS you can install openssh with Homebrew to get the latest version, try installing with a package manager for your operating system if you are not running macOS. You may also need to install
- Place your FIDO U2F key in a free USB port and type the following command to start the one-time setup:You will need to touch your FIDO U2F key when it starts flashing. After, when prompted, type in a password. You can now remove the USB key. We are using an ECDSA type key here as these are compatible with more keys. Some prefer to use
ed25519-skin place of
ecdsa-skabove because of association of ECDSA keys with government agencies. Your own choice will depend on your threat model as well as what your own key supports.
- Log in to GitHub, click your avatar in the top right and select Settings. Then from the menu on the left select SSH and GPG keys then click the New SSH key button.
- In the new screen that appears, enter something to help you identify your key in the Title, you might want to use the filename for your public key. Next get the public key by typing the following command in the Terminal:You can copy the entire output (which will start sk-ecdsa and end with the key description Github key). Paste this in the Key text box in the GitHub console. Then click the Add SSH key button.
- Finally let's test the new key. Place the FIDO U2F key into a free USB port and run the test command:When prompted enter your password (this is the password you entered as you created the key). Then, just like when you created the new SSH key, the FIDO U2F key will start flashing, touch it to confirm your presence. If all is well, you will see a message like this one:When you are ready to, you can remove any existing SSH keys which you may no longer need.
🔨 SSH Config
Since we are hardening the login method, we can also harden SSH configuration. I based this configuration off Dr Duh's configuration .
This prefers IPv4 connections over IPv6, disables password login as well as some other hardening measures such as limiting the allowed encryption ciphers and message authentication algorithms. Be sure to update the path to you GitHub key in line 7 to match the path of the key you just created. The settings in lines
8 apply just to GitHub SSH connections. The remaining ones apply to any other SSH connection, so these may need tweaking to work with any other services you use. Be sure to test all connections with this new configuration.
🙌🏽 Using FIDO U2F for GitHub SSH: What we Learned
In this post we looked at:
why you would want to use a FIDO U2F key for GitHub SSH operations,
how to create an SSH secure key for GitHub,
a hardened SSH configuration.
I do hope there is at least one thing in this article which you can use in your work. You may also want to see GitHub's own documentation on setting up secure SSH keys .
🏁 Using FIDO U2F for GitHub SSH: Summary
What is GitHub secure key SSH?
- Traditionally, for connecting to a remote system using SSH, just a password was used. Best practice has since evolved and now typically, we use a cryptographic key in place of a password. This takes the form of public key cryptography, where a public key is shared to the remote service and the user authenticates using their private key. Secure keys add additional protection. There is only a single FIDO U2F hardware token authorised to authenticate requests which cannot easily be cloned. Since the token has to be with the user at the time of authentication, unauthorised access to systems is made much harder.
Does GitHub accept FIDO U2F SSH keys for operations?
- Yes. GitHub has allowed FIDO U2F secure key SSH operations, using YubiKey Secure Keys as well as other brands since May 2021. You need OpenSSH 8.2 or higher on your machine to create a suitable SSH key as well as a compatible FIDO U2F key. The cheaper YubiKey FIDO U2F hardware tokens as well as other brands will work.
How do you create a FIDO U2F SSH key for GitHub?
- You can create a FIDO U2F SSH key for GitHub using the common openssh command line utility. Just use the -t esdsa-sk flag to create an ECDSA secure key. During the process you will be asked to touch the key and also enter a password. Once set up, whenever you push to you GitHub repo, you will need the same FIDO U2F token.
🙏🏽 Using FIDO U2F for GitHub SSH: Feedback
Have you found the post useful? Would you prefer to see posts on another topic instead? Get in touch with ideas for new posts. Also if you like my writing style, get in touch if I can write some posts for your company site on a consultancy basis. Read on to find ways to get in touch, further below. If you want to support posts similar to this one and can spare a few dollars, euros or pounds, please consider supporting me through Buy me a Coffee.
Finally, feel free to share the post on your social media accounts for all your followers who will find it useful. As well as leaving a comment below, you can get in touch via @askRodney on Twitter and also askRodney on Telegram . Also, see further ways to get in touch with Rodney Lab. I post regularly on SvelteKit as well as security-related topics. Also subscribe to the newsletter to keep up-to-date with our latest projects.