Registration/SSH/SSH-FIDO2-Quick-Start: Difference between revisions
< Registration | SSH
Jump to navigation
Jump to search
m (M Janczyk moved page Registration/SSH/Yubikey-Quick-Start to Registration/SSH/SSH-FIDO2-Quick-Start) |
mNo edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 6: | Line 6: | ||
'''Why FIDO2 SSH Keys?''' |
'''Why FIDO2 SSH Keys?''' |
||
FIDO2 SSH keys (ED25519-SK) offer significant advantages: |
FIDO2 SSH keys ('''ED25519-SK''' and '''ECDSA-SK''') offer significant advantages: |
||
* ''' |
* Valid for '''720 days''' - no frequent re-registration needed |
||
* No pre-login required - no need to first unlock with password and TOTP |
|||
* '''Hardware-protected''' - private key never leaves the Yubikey |
|||
* Hardware-protected - private key never leaves the security key |
|||
* '''Physical presence required''' - you must touch the key to authenticate |
|||
* Physical presence required - you must touch the key to authenticate |
|||
'''Note:''' ECDSA-SK keys are not supported on these clusters. Use ED25519-SK instead. |
|||
{| class="wikitable" style="text-align:center; margin-top:10px;" |
{| class="wikitable" style="text-align:center; margin-top:10px;" |
||
| Line 32: | Line 31: | ||
= Requirements = |
= Requirements = |
||
* A FIDO2 security key |
* A FIDO2 security key, e.g.: |
||
** [https://www.yubico.com/products/yubikey-5-overview/ Yubikey 5 series] or newer |
|||
** [https://www.ftsafe.com/Products/FIDO/Single_Button_FIDO Feitian ePass FIDO A4B] (~18 €, as of May 2026) — supports <code>ecdsa-sk</code> only, use <code>ssh-keygen -t ecdsa-sk</code> |
|||
** Token2 or any other FIDO2-certified key |
|||
* OpenSSH 8.2 or newer |
* OpenSSH 8.2 or newer |
||
* For PIN setup: Either Chrome/Chromium/Brave browser OR <code>yubikey-manager</code> command-line tool (Yubikey only) |
* For PIN setup: Either Chrome/Chromium/Brave browser OR <code>yubikey-manager</code> command-line tool (Yubikey only) |
||
| Line 40: | Line 42: | ||
<pre> |
<pre> |
||
ssh -V |
ssh -V |
||
ssh -Q PubkeyAcceptedAlgorithms | grep sk-ssh-ed25519 |
ssh -Q PubkeyAcceptedAlgorithms | grep -E 'sk-ssh-ed25519|sk-ecdsa' |
||
</pre> |
</pre> |
||
| Line 49: | Line 51: | ||
== Step 1: Set up your FIDO2 Security Key == |
== Step 1: Set up your FIDO2 Security Key == |
||
What is a FIDO2 PIN? The PIN protects your security key's FIDO2 functions. For Yubikeys, it's separate from any other PINs (like the PIV PIN). Choose a PIN you can remember or save it to a keystore - you have 8 attempts before needing to reset. |
|||
<div style="border: 3px solid #dc3545; padding: 15px; background-color: #f8d7da; margin: 10px 0;"> |
<div style="border: 3px solid #dc3545; padding: 15px; background-color: #f8d7da; margin: 10px 0;"> |
||
| Line 65: | Line 67: | ||
</pre> |
</pre> |
||
You'll be asked to enter a new PIN |
You'll be asked to '''enter a new PIN'''. |
||
'''Forgot your PIN or need to reset?''' You can reset your FIDO2 PIN using |
'''Forgot your PIN or need to reset?''' You can reset your FIDO2 PIN using <code>ykman fido reset</code> or use the "Reset your security key" option shown in the browser security key settings (see image in Option B below). |
||
=== Option B: Browser Setup (Chrome/Chromium/Brave) === |
=== Option B: Browser Setup (Chrome/Chromium/Brave) === |
||
You can also set a FIDO2 PIN using Chrome, Chromium, or Brave browser. '''This method works for all FIDO2 security hardware keys''' (Yubikey, Feitian, Token2, etc.), not just Yubikeys. |
You can also set a FIDO2 PIN using Chrome, Chromium, or Brave browser. '''This method works for all FIDO2 security hardware keys''' (Yubikey, Feitian, Token2, etc.), not just Yubikeys. |
||
'''Alternative:''' For Yubikeys specifically, you can also use [https://www.yubico.com/products/yubico-authenticator/ Yubico Authenticator]. |
|||
'''1. Open Security Key Settings:''' |
'''1. Open Security Key Settings:''' |
||
| Line 79: | Line 82: | ||
* Chrome/Chromium/Brave: <code>chrome://settings/securityKeys</code> |
* Chrome/Chromium/Brave: <code>chrome://settings/securityKeys</code> |
||
[[File:Chrome_Fido2_1.png|center|600px|Manage security keys - shows options for Create PIN, Sign-in data, Fingerprints, and Reset security key]] |
[[File:Chrome_Fido2_1.png|center|600px|thumb|Manage security keys - shows options for Create PIN, Sign-in data, Fingerprints, and Reset security key]] |
||
'''Note:''' The "Reset your security key" option (shown with red warning icons in the image above) can be used if you forget your PIN. '''Warning: Reset will delete all FIDO2 data including SSH keys!''' |
'''Note:''' The "Reset your security key" option (shown with red warning icons in the image above) can be used if you forget your PIN. '''Warning: Reset will delete all FIDO2 data including SSH keys!''' |
||
| Line 87: | Line 90: | ||
Click '''Create a PIN''' and follow the prompts: |
Click '''Create a PIN''' and follow the prompts: |
||
[[File:Chrome_Fido2_2.png|center|400px|Create PIN dialog]] |
[[File:Chrome_Fido2_2.png|center|400px|thumb|Create PIN dialog]] |
||
[[File:Chrome_Fido2_3.png|center|400px|Enter new PIN]] |
[[File:Chrome_Fido2_3.png|center|400px|thumb|Enter new PIN]] |
||
'''3. PIN Created Successfully:''' |
'''3. PIN Created Successfully:''' |
||
'''Alternative:''' For Yubikeys specifically, you can also use [https://www.yubico.com/products/yubico-authenticator/ Yubico Authenticator]. |
|||
== Step 2: Create an SSH Key == |
== Step 2: Create an SSH Key == |
||
This creates a non-discoverable FIDO2 SSH key. The private key material is wrapped/encrypted with a secret stored on your security key - the security key is required for every authentication, but the actual key credentials are stored on your computer. |
|||
'''Note:''' For keys stored directly on the security key (resident/discoverable keys), see the [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#creating-discoverable-ssh-keys resident keys documentation]. |
'''Note:''' For keys stored directly on the security key (resident/discoverable keys), see the [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#creating-discoverable-ssh-keys resident keys documentation]. |
||
Connect your FIDO2 security key and create a new SSH key: |
'''Connect your FIDO2 security key''' and create a new SSH key. Optional: Choose a descriptive filename like <code>id_ed25519_sk_bwunicluster</code> or <code>id_ed25519_sk_nemo2</code>: |
||
<pre> |
<pre> |
||
ssh-keygen -t ed25519-sk |
ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk_bwunicluster |
||
</pre> |
</pre> |
||
When prompted: |
When prompted: |
||
* '''Enter PIN:''' First, you'll be asked to enter your FIDO2 PIN (the one you set in Step 1) |
* '''Enter PIN:''' First, you'll be asked to enter your FIDO2 PIN (the one you set in Step 1) |
||
* '''Filename:''' Choose a descriptive name like <code>id_ed25519_sk_bwunicluster</code> or <code>id_ed25519_sk_nemo2</code> |
|||
* '''Passphrase:''' Press Enter to skip - the key is protected by requiring physical security key presence |
* '''Passphrase:''' Press Enter to skip - the key is protected by requiring physical security key presence |
||
* '''Touch your security key:''' The key will blink or light up - touch it to confirm |
* '''Touch your security key:''' The key will blink or light up - touch it to confirm |
||
| Line 121: | Line 121: | ||
<div style="border: 3px solid #17a2b8; padding: 15px; background-color: #d1ecf1; margin: 10px 0;"> |
<div style="border: 3px solid #17a2b8; padding: 15px; background-color: #d1ecf1; margin: 10px 0;"> |
||
'''FIDO2 SSH Keys work immediately |
'''FIDO2 SSH Keys work immediately - no pre-login required!''' |
||
Unlike regular SSH keys, FIDO2 keys do not need to be |
Unlike regular SSH keys, FIDO2 keys do not need to be unlocked by first logging in with password and TOTP. |
||
They work as soon as you register them as '''Interactive Keys'''. |
They work as soon as you register them as '''Interactive Keys''' and are valid for '''720 days'''. |
||
</div> |
</div> |
||
| Line 134: | Line 134: | ||
</pre> |
</pre> |
||
2. Copy the complete output (starts with <code>sk-ssh-ed25519@openssh.com</code>) |
2. Copy the complete output (starts with <code>sk-ssh-ed25519@openssh.com</code> for ED25519-SK, or <code>sk-ecdsa-sha2-nistp256@openssh.com</code> for ECDSA-SK) |
||
3. Follow the [[Registration/SSH#Adding_a_new_SSH_Key|SSH Key Registration Guide]] to: |
3. Follow the [[Registration/SSH#Adding_a_new_SSH_Key|SSH Key Registration Guide]] to: |
||
| Line 158: | Line 158: | ||
<pre> |
<pre> |
||
Host bwuni |
Host bwuni bwunicluster.scc.kit.edu |
||
HostName bwunicluster.scc.kit.edu |
HostName bwunicluster.scc.kit.edu |
||
User fr_user1234 |
User fr_user1234 |
||
IdentityFile ~/.ssh/id_ed25519_sk_bwunicluster |
IdentityFile ~/.ssh/id_ed25519_sk_bwunicluster |
||
Host nemo2 |
Host nemo2 login.nemo.uni-freiburg.de |
||
HostName login.nemo.uni-freiburg.de |
HostName login.nemo.uni-freiburg.de |
||
User fr_user1234 |
User fr_user1234 |
||
| Line 177: | Line 177: | ||
== Using Multiple Security Keys (Optional) == |
== Using Multiple Security Keys (Optional) == |
||
Having backup security keys adds convenience - you can switch between devices without reconfiguring. |
|||
'''Note:''' If you lose your security key, you can still access the cluster using regular SSH keys (with 2FA unlock) or password login with TOTP. |
'''Note:''' If you lose your security key, you can still access the cluster using regular SSH keys (with 2FA unlock) or password login with TOTP. |
||
| Line 189: | Line 189: | ||
<pre> |
<pre> |
||
Host bwunicluster.scc.kit.edu uc*.scc.kit.edu login*.nemo.uni-freiburg.de |
|||
Host bwuni nemo2 |
|||
User fr_user1234 |
User fr_user1234 |
||
IdentityFile ~/.ssh/id_ed25519_sk_key1 |
IdentityFile ~/.ssh/id_ed25519_sk_key1 |
||
| Line 209: | Line 209: | ||
** Install <code>yubikey-manager</code> (for Yubikey command-line setup only): |
** Install <code>yubikey-manager</code> (for Yubikey command-line setup only): |
||
*** Debian/Ubuntu: <code>sudo apt install yubikey-manager</code> |
*** Debian/Ubuntu: <code>sudo apt install yubikey-manager</code> |
||
*** RHEL/Rocky/Alma: <code>sudo dnf install yubikey-manager</code> |
*** Fedora/RHEL/Rocky/Alma: <code>sudo dnf install yubikey-manager</code> |
||
** Install <code>openssh-client</code> if missing |
** Install <code>openssh-client</code> if missing |
||
| Line 222: | Line 222: | ||
* '''PIN locked after too many attempts?''' |
* '''PIN locked after too many attempts?''' |
||
** Reset FIDO2 PIN: See [ |
** Reset FIDO2 PIN: See [[#Step_1:_Set_up_your_FIDO2_Security_Key|Step 1]] |
||
'''Need more help?''' See the [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#troubleshooting complete troubleshooting guide]. |
|||
= Learn More = |
|||
'''Cluster-Specific Documentation:''' |
|||
* [[Registration/SSH|Complete SSH Key Registration Guide for bwUniCluster/bwForCluster]] |
|||
'''Yubikey & FIDO2 SSH Documentation:''' |
|||
* [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey Comprehensive Yubikey Guide] - Setup, configuration, troubleshooting |
|||
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#creating-discoverable-ssh-keys Resident Keys] - Store keys directly on Yubikey |
|||
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#ssh-configuration-for-fido2-secured-ssh-keys SSH Config Examples] - Automate your SSH connections |
|||
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#yubikey-best-practices Backup Strategies] - Multi-key and recovery setups |
|||
'''Official Yubico Documentation:''' |
|||
* [https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html Securing SSH with FIDO2] - Technical deep dive |
|||
= Requirements = |
|||
* A Yubikey (5 series or newer) |
|||
* OpenSSH 8.2 or newer |
|||
* Linux system with <code>yubikey-manager</code> and <code>openssh-client</code> packages |
|||
'''Check your OpenSSH version:''' |
|||
<pre> |
|||
ssh -V |
|||
ssh -Q PubkeyAcceptedAlgorithms | grep sk-ssh-ed25519@openssh.com |
|||
</pre> |
|||
'''Need help with installation?''' See the [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#ssh-and-yubikeys detailed setup guide] for your operating system. |
|||
= Quick Start Guide = |
|||
== Step 1: Set up your Yubikey == |
|||
'''What is a FIDO2 PIN?''' The PIN protects your Yubikey's FIDO2 functions. It's separate from any other PINs on your Yubikey (like the PIV PIN). |
|||
Set a PIN for your Yubikey's FIDO2 functionality: |
|||
<pre> |
|||
ykman fido access change-pin |
|||
</pre> |
|||
You'll be asked to enter a new PIN. Choose a PIN you can remember - you have 8 attempts before needing to reset. |
|||
'''Note:''' For GUI setup, you can use [https://www.yubico.com/products/yubico-authenticator/ Yubico Authenticator] instead. |
|||
'''Forgot your PIN or need to reset?''' See the [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#troubleshooting troubleshooting guide]. |
|||
== Step 2: Create an SSH Key == |
|||
'''What happens here?''' This creates a non-discoverable FIDO2 SSH key. The private key material is wrapped/encrypted with a secret stored on your Yubikey - the Yubikey is required for every authentication, but the actual key credentials are stored on your computer. |
|||
'''Note:''' For keys stored directly on the Yubikey (resident/discoverable keys), see the [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#creating-discoverable-ssh-keys resident keys documentation]. |
|||
Connect your Yubikey and create a new SSH key: |
|||
<pre> |
|||
ssh-keygen -t ed25519-sk |
|||
</pre> |
|||
When prompted: |
|||
* '''Enter PIN:''' First, you'll be asked to enter your FIDO2 PIN (the one you set in Step 1) |
|||
* '''Filename:''' Choose a descriptive name like <code>id_ed25519_sk_bwunicluster</code> or <code>id_ed25519_sk_nemo2</code> |
|||
* '''Passphrase:''' Press Enter to skip - the key is protected by requiring physical Yubikey presence |
|||
* '''Touch your Yubikey:''' The key will blink - touch it to confirm |
|||
Two files are created: |
|||
* <code>~/.ssh/id_ed25519_sk_bwunicluster</code> - key handle (encrypted credentials that require the Yubikey) |
|||
* <code>~/.ssh/id_ed25519_sk_bwunicluster.pub</code> - public key (this is what you'll upload) |
|||
'''Want keys stored on the Yubikey itself?''' See [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#creating-discoverable-ssh-keys resident keys documentation] for discoverable keys that can be copied to any machine. |
|||
== Step 3: Register Your Public Key == |
|||
<div style="border: 3px solid #17a2b8; padding: 15px; background-color: #d1ecf1; margin: 10px 0;"> |
|||
'''FIDO2 SSH Keys work immediately without 2-factor authentication!''' |
|||
Unlike regular SSH keys, FIDO2 keys do not need to be "unlocked" with username/password. |
|||
They work as soon as you register them as '''Interactive Keys'''. |
|||
</div> |
|||
'''For bwUniCluster 3.0 and bwForCluster NEMO 2:''' |
|||
1. View your public key: |
|||
<pre> |
|||
cat ~/.ssh/id_ed25519_sk_bwunicluster.pub |
|||
</pre> |
|||
2. Copy the complete output (starts with <code>sk-ssh-ed25519@openssh.com</code>) |
|||
3. Follow the [[Registration/SSH#Adding_a_new_SSH_Key|SSH Key Registration Guide]] to: |
|||
* Add your public key in bwIDM/bwServices |
|||
* Register it as an '''Interactive Key''' for your cluster |
|||
* Connect immediately - no 2FA unlock needed! |
|||
== Step 4: Connect with Your Yubikey == |
|||
After registering your key as an '''Interactive Key''' in bwIDM: |
|||
<pre> |
|||
ssh -i ~/.ssh/id_ed25519_sk_bwunicluster your_username@bwunicluster.scc.kit.edu |
|||
</pre> |
|||
'''What to expect:''' |
|||
1. Your Yubikey will blink |
|||
2. Touch it to authenticate |
|||
3. You're logged in - no password needed! |
|||
'''Tip:''' Add your key to <code>~/.ssh/config</code> to avoid typing the <code>-i</code> option every time: |
|||
<pre> |
|||
Host bwuni |
|||
HostName bwunicluster.scc.kit.edu |
|||
User fr_user1234 |
|||
IdentityFile ~/.ssh/id_ed25519_sk_bwunicluster |
|||
Host nemo2 |
|||
HostName login.nemo.uni-freiburg.de |
|||
User fr_user1234 |
|||
IdentityFile ~/.ssh/id_ed25519_sk_nemo2 |
|||
</pre> |
|||
Then simply connect with: <code>ssh bwuni</code> or <code>ssh nemo2</code> |
|||
See [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#ssh-configuration-for-fido2-secured-ssh-keys SSH config examples] for more advanced configurations. |
|||
= Advanced Topics = |
|||
== Using Multiple Yubikeys (Optional) == |
|||
'''Why?''' Having backup Yubikeys adds convenience - you can switch between devices without reconfiguring. |
|||
'''Note:''' If you lose your Yubikey, you can still access the cluster using regular SSH keys (with 2FA unlock) or password login with TOTP. |
|||
'''Setup:''' |
|||
1. Create a key on your first Yubikey: <code>id_ed25519_sk_key1</code> |
|||
2. Create another key on your second Yubikey: <code>id_ed25519_sk_key2</code> |
|||
3. Register '''both public keys''' in bwIDM as Interactive Keys |
|||
4. Configure <code>~/.ssh/config</code> with multiple identities: |
|||
<pre> |
|||
Host bwuni nemo2 |
|||
User fr_user1234 |
|||
IdentityFile ~/.ssh/id_ed25519_sk_key1 |
|||
IdentityFile ~/.ssh/id_ed25519_sk_key2 |
|||
</pre> |
|||
SSH will automatically try each key until it finds one with a connected Yubikey. |
|||
= Troubleshooting = |
|||
'''Common Issues:''' |
|||
* '''Key not working?''' |
|||
** Make sure your Yubikey is plugged in |
|||
** Try unplugging and re-plugging the Yubikey |
|||
** Check if the key is blinking (requires touch) |
|||
* '''Command not found?''' |
|||
** Install <code>yubikey-manager</code>: |
|||
*** Debian/Ubuntu: <code>sudo apt install yubikey-manager</code> |
|||
*** RHEL/Rocky/Alma: <code>sudo dnf install yubikey-manager</code> |
|||
** Install <code>openssh-client</code> if missing |
|||
* '''Old OpenSSH?''' |
|||
** Check version: <code>ssh -V</code> |
|||
** Update to version 8.2 or newer |
|||
** On older systems, consider using a newer OpenSSH version or upgrade your OS |
|||
* '''"invalid format" or "unknown key type"?''' |
|||
** Your OpenSSH version is too old (needs 8.2+) |
|||
** The cluster doesn't support FIDO2 keys (only bwUniCluster 3.0 and NEMO 2) |
|||
* '''PIN locked after too many attempts?''' |
|||
** Reset FIDO2 PIN: See [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#configure-yubikey-for-fido2 PIN reset guide] |
|||
'''Need more help?''' See the [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#troubleshooting complete troubleshooting guide]. |
|||
= Learn More = |
= Learn More = |
||
| Line 412: | Line 233: | ||
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#creating-discoverable-ssh-keys Resident Keys] - Store keys directly on Yubikey |
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#creating-discoverable-ssh-keys Resident Keys] - Store keys directly on Yubikey |
||
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#ssh-configuration-for-fido2-secured-ssh-keys SSH Config Examples] - Automate your SSH connections |
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#ssh-configuration-for-fido2-secured-ssh-keys SSH Config Examples] - Automate your SSH connections |
||
** [https://gitlab.rz.uni-freiburg.de/escience-public/yubikey#yubikey-best-practices Backup Strategies] - Multi-key and recovery setups |
|||
'''Official Yubico Documentation:''' |
'''Official Yubico Documentation:''' |
||
Latest revision as of 18:26, 28 May 2026
SSH with FIDO2 Security Keys - Quick Start Guide
This guide shows you how to secure your SSH keys with FIDO2 security hardware keys (Yubikey, Feitian, Token2, etc.) using FIDO2.
Why FIDO2 SSH Keys?
FIDO2 SSH keys (ED25519-SK and ECDSA-SK) offer significant advantages:
- Valid for 720 days - no frequent re-registration needed
- No pre-login required - no need to first unlock with password and TOTP
- Hardware-protected - private key never leaves the security key
- Physical presence required - you must touch the key to authenticate
| Cluster | FIDO2 Support |
|---|---|
| bwUniCluster 3.0 | ✓ |
| bwForCluster BinAC 2 | ✗ |
| bwForCluster Helix | ✗ |
| bwForCluster JUSTUS 2 | ✗ |
| bwForCluster NEMO 2 | ✓ |
Requirements
- A FIDO2 security key, e.g.:
- Yubikey 5 series or newer
- Feitian ePass FIDO A4B (~18 €, as of May 2026) — supports
ecdsa-skonly, usessh-keygen -t ecdsa-sk - Token2 or any other FIDO2-certified key
- OpenSSH 8.2 or newer
- For PIN setup: Either Chrome/Chromium/Brave browser OR
yubikey-managercommand-line tool (Yubikey only) - For SSH key generation:
openssh-clientpackage
Check your OpenSSH version:
ssh -V ssh -Q PubkeyAcceptedAlgorithms | grep -E 'sk-ssh-ed25519|sk-ecdsa'
Need help with installation? See the detailed setup guide for your operating system.
Quick Start Guide
Step 1: Set up your FIDO2 Security Key
What is a FIDO2 PIN? The PIN protects your security key's FIDO2 functions. For Yubikeys, it's separate from any other PINs (like the PIV PIN). Choose a PIN you can remember or save it to a keystore - you have 8 attempts before needing to reset.
Important:
If you lose your FIDO2 PIN, the security key must be reset. All FIDO2 data will be lost, including SSH keys stored on the device. After reset, you must generate new SSH keys and re-register them.
Option A: Command Line Setup (Yubikey only)
For Yubikeys, set a PIN using the yubikey-manager tool:
ykman fido access change-pin
You'll be asked to enter a new PIN.
Forgot your PIN or need to reset? You can reset your FIDO2 PIN using ykman fido reset or use the "Reset your security key" option shown in the browser security key settings (see image in Option B below).
Option B: Browser Setup (Chrome/Chromium/Brave)
You can also set a FIDO2 PIN using Chrome, Chromium, or Brave browser. This method works for all FIDO2 security hardware keys (Yubikey, Feitian, Token2, etc.), not just Yubikeys. Alternative: For Yubikeys specifically, you can also use Yubico Authenticator.
1. Open Security Key Settings:
Enter the following in your browser's address bar:
- Chrome/Chromium/Brave:
chrome://settings/securityKeys
Note: The "Reset your security key" option (shown with red warning icons in the image above) can be used if you forget your PIN. Warning: Reset will delete all FIDO2 data including SSH keys!
2. Create a PIN:
Click Create a PIN and follow the prompts:
3. PIN Created Successfully:
Step 2: Create an SSH Key
This creates a non-discoverable FIDO2 SSH key. The private key material is wrapped/encrypted with a secret stored on your security key - the security key is required for every authentication, but the actual key credentials are stored on your computer.
Note: For keys stored directly on the security key (resident/discoverable keys), see the resident keys documentation.
Connect your FIDO2 security key and create a new SSH key. Optional: Choose a descriptive filename like id_ed25519_sk_bwunicluster or id_ed25519_sk_nemo2:
ssh-keygen -t ed25519-sk -f ~/.ssh/id_ed25519_sk_bwunicluster
When prompted:
- Enter PIN: First, you'll be asked to enter your FIDO2 PIN (the one you set in Step 1)
- Passphrase: Press Enter to skip - the key is protected by requiring physical security key presence
- Touch your security key: The key will blink or light up - touch it to confirm
Two files are created:
~/.ssh/id_ed25519_sk_bwunicluster- key handle (encrypted credentials that require the security key)~/.ssh/id_ed25519_sk_bwunicluster.pub- public key (this is what you'll upload)
Want keys stored on the security key itself? See resident keys documentation for discoverable keys that can be copied to any machine.
Step 3: Register Your Public Key
FIDO2 SSH Keys work immediately - no pre-login required!
Unlike regular SSH keys, FIDO2 keys do not need to be unlocked by first logging in with password and TOTP. They work as soon as you register them as Interactive Keys and are valid for 720 days.
For bwUniCluster 3.0 and bwForCluster NEMO 2:
1. View your public key:
cat ~/.ssh/id_ed25519_sk_bwunicluster.pub
2. Copy the complete output (starts with sk-ssh-ed25519@openssh.com for ED25519-SK, or sk-ecdsa-sha2-nistp256@openssh.com for ECDSA-SK)
3. Follow the SSH Key Registration Guide to:
- Add your public key in bwIDM/bwServices
- Register it as an Interactive Key for your cluster
That's it! You can connect immediately - no 2FA unlock needed.
Step 4: Connect with Your Security Key
After registering your key as an Interactive Key in bwIDM:
ssh -i ~/.ssh/id_ed25519_sk_bwunicluster your_username@bwunicluster.scc.kit.edu
What to expect: 1. Your security key will blink or light up 2. Touch it to authenticate 3. You're logged in - no password needed!
Tip: Add your key to ~/.ssh/config to avoid typing the -i option every time:
Host bwuni bwunicluster.scc.kit.edu HostName bwunicluster.scc.kit.edu User fr_user1234 IdentityFile ~/.ssh/id_ed25519_sk_bwunicluster Host nemo2 login.nemo.uni-freiburg.de HostName login.nemo.uni-freiburg.de User fr_user1234 IdentityFile ~/.ssh/id_ed25519_sk_nemo2
Then simply connect with: ssh bwuni or ssh nemo2
See SSH config examples for more advanced configurations.
Advanced Topics
Using Multiple Security Keys (Optional)
Having backup security keys adds convenience - you can switch between devices without reconfiguring.
Note: If you lose your security key, you can still access the cluster using regular SSH keys (with 2FA unlock) or password login with TOTP.
Setup:
1. Create a key on your first security key: id_ed25519_sk_key1
2. Create another key on your second security key: id_ed25519_sk_key2
3. Register both public keys in bwIDM as Interactive Keys
4. Configure ~/.ssh/config with multiple identities:
Host bwunicluster.scc.kit.edu uc*.scc.kit.edu login*.nemo.uni-freiburg.de User fr_user1234 IdentityFile ~/.ssh/id_ed25519_sk_key1 IdentityFile ~/.ssh/id_ed25519_sk_key2
SSH will automatically try each key until it finds one with a connected security key.
Troubleshooting
Common Issues:
- Key not working?
- Make sure your security key is plugged in
- Try unplugging and re-plugging the security key
- Check if the key is blinking or lit up (requires touch)
- Command not found?
- Install
yubikey-manager(for Yubikey command-line setup only):- Debian/Ubuntu:
sudo apt install yubikey-manager - Fedora/RHEL/Rocky/Alma:
sudo dnf install yubikey-manager
- Debian/Ubuntu:
- Install
openssh-clientif missing
- Install
- Old OpenSSH?
- Check version:
ssh -V - Update to version 8.2 or newer
- On older systems, consider using a newer OpenSSH version or upgrade your OS
- Check version:
- "invalid format" or "unknown key type"?
- Your OpenSSH version is too old (needs 8.2+)
- The cluster doesn't support FIDO2 keys (only bwUniCluster 3.0 and NEMO 2)
- PIN locked after too many attempts?
- Reset FIDO2 PIN: See Step 1
Learn More
Cluster-Specific Documentation:
Yubikey & FIDO2 SSH Documentation:
- Comprehensive Yubikey Guide - Setup, configuration, troubleshooting
- Resident Keys - Store keys directly on Yubikey
- SSH Config Examples - Automate your SSH connections
Official Yubico Documentation:
- Securing SSH with FIDO2 - Technical deep dive