SSH Auth using FIDO Device

1. Step 1: Plugin FIDO Device (Ex: Google Titan Security Key). Run this command
2.  
3. ssh-keygen -t ecdsa-sk
4.  
5. If the error "Key enrollment failed: unknown or unsupported key type" appear.
6. 1. Update OpenSSH to latest version or version 8.9. On MacOS you may use Homebrew
7. 2. Install libfido2
8. https://github.com/Yubico/libfido2/blob/master/README.adoc#installation
9.  
10. Step 2: Choose where to save the key (id_ecdsa_sk). And enter passphrase for more protection (optional)
11.  
12. Step 3: Go to the directory that you save the key, copy the id_ecdsa_sk.pub to your server. You can copy its content and use nano on your server to create a id_ecdsa_sk.pub file then paste the content of the key into this file.
13.  
14. Step 4: Add the public key into the authorized_keys files (Which normally located in  ~/.ssh). You may use this command bellow
15.  
16. cat id_ecdsa_sk.pub >>  ~/.ssh/authorized_keys
17.  
18. Step 5: Open sshd_config file (Which located in ~/.ssh/sshd_config or /etc/ssh/sshd_config). Then uncomment this line, or you can add this line into the config file
19.  
20. PubkeyAuthentication yes
21.  
22. You may disabled the Password Authentication
23.  
24. PasswordAuthentication no
25.  
26. Step 6: Now restart your SSH service
27.  
28. sudo service ssh restart
29.  
30. OR
31.  
32. sudo service sshd restart
33.  
34. Step 7: Reconnect and you will be asked for the authentication key, just plug the FIDO Device then touch it. The authenciation will be completed automatically
35.  
36.