Fido U2F SSH authentication (2FA/MFA)

Since version 8.2 OpenSSH is supporting U2F MFA. Here is short guide on how to enable two (or three) factor SSH authentication using physical key (like Yubikey) for accessing OpenWrt console.

Prerequisities:

  • U2F key (second key strongly advised to not get locked out in case of key loss)
  • sufficient amount of memory in OpenWrt appliance

On Linux:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
ssh-copy-id -i ~/.ssh/id_ecdsa_sk root@router_IP

On router:

uci set dropbear.@dropbear[0].Port=2222
uci commit dropbear
/etc/init.d/dropbear restart

After that you should be able to reach out to router by: ssh -p 2222 root@router_IP

opkg update
opkg install openssh-server

Change lines on the router /etc/ssh/sshd_config file to:

ListenAddress LAN_IP_of_the_router # optional
PasswordAuthentication no

and run following commands:

/etc/init.d/sshd enable
/etc/init.d/sshd start

if connection with ssh root@router_IP works fine with Fido2 key you are ready to disable dropbear:

/etc/init.d/dropbear disable
/etc/init.d/dropbear stop

Linux part of setup should be repeated for second key using different file names. Alternatively backup authentication could be setup with Google Authenticator.

2 Likes

Some remarks:

  1. Linux requires libfido2 or libsk-libfido2.so to be installed for ecdsa-sk to work.

  2. Not all fido keys are supporting ed25519-sk (but even the cheapest ones should support ecdsa-sk)

  3. Last time I have checked putty wasn't supporting either.

1 Like

OpenWRT 19.07.4 includes packages for OpenSSH 8.0p1, not 8.2p1. Is the assumption here that you're building OpenWRT from source?

Indeed. I am building from master branch.
Obviously you don't need to build by yourself and instead use for example @hnyman 's master build.

You mean Build for Netgear R7800? I may give that a try.

Yeah, current one is: