Fido U2F SSH authentication (2FA/MFA)

Since version 8.2 OpenSSH is supporting U2F MFA. Here is short guide on how to enable two (or three) factor SSH authentication using physical key (like Yubikey) for accessing OpenWrt console.


  • U2F key (second key strongly advised to not get locked out in case of key loss)
  • sufficient amount of memory in OpenWrt appliance

On Linux:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
ssh-copy-id -i ~/.ssh/id_ecdsa_sk root@router_IP

On router:

uci set dropbear.@dropbear[0].Port=2222
uci commit dropbear
/etc/init.d/dropbear restart

After that you should be able to reach out to router by: ssh -p 2222 root@router_IP

opkg update
opkg install openssh-server

Change lines on the router /etc/ssh/sshd_config file to:

ListenAddress LAN_IP_of_the_router # optional
PasswordAuthentication no

and run following commands:

/etc/init.d/sshd enable
/etc/init.d/sshd start

if connection with ssh root@router_IP works fine with Fido2 key you are ready to disable dropbear:

/etc/init.d/dropbear disable
/etc/init.d/dropbear stop

Linux part of setup should be repeated for second key using different file names. Alternatively backup authentication could be setup with Google Authenticator.


Some remarks:

  1. Linux requires libfido2 or to be installed for ecdsa-sk to work.

  2. Not all fido keys are supporting ed25519-sk (but even the cheapest ones should support ecdsa-sk)

  3. Last time I have checked putty wasn't supporting either.

1 Like

OpenWRT 19.07.4 includes packages for OpenSSH 8.0p1, not 8.2p1. Is the assumption here that you're building OpenWRT from source?

Indeed. I am building from master branch.
Obviously you don't need to build by yourself and instead use for example @hnyman 's master build.

You mean Build for Netgear R7800? I may give that a try.

Yeah, current one is:

Hi, I've recently bought a Solokey, which implements FIDO2 as well and I have been using it on my router for a while now.

Since OpenSSH is already on 8.4p on master, I've opened a PR to add support for all FIDO2 keys on the official OpenWRT openssh-server package.

Also, a few notes: libsk-libfido2 is not required anymore by OpenSSH anymore.
All that's needed is libcbor, libfido2 itself and OpenSSH to be compiled with the --with-security-key-builtin flag.

If anyone wants to compile their own openssh-server package, feel free to use this PR. Hopefully it'll get merged at some point and it'll probably land on the next OpenWRT release.

Instead of building your own OpenWRT image from scratch, you can just build the openssh-server package using the compiled OpenWRT SDK for your current version. You can find more information here

1 Like