Traditional SSH authentication methods like passwords and even SSH keys are increasingly vulnerable to sophisticated attacks. Hardware security keys using FIDO2 protocols offer a revolutionary approach to secure server access, combining something you have (the physical key) with something you are (biometric verification). This guide will walk you through implementing passwordless SSH authentication using YubiKey or other FIDO2-compatible devices on Ubuntu 24.04 LTS.
By the end of this tutorial, you’ll have established a robust, phishing-resistant authentication system that eliminates the need for passwords while providing enterprise-grade security for your VPS infrastructure.
Prerequisites
Before proceeding with this hardware-based authentication setup, ensure you have:
- Ubuntu 24.04 LTS VPS with root or sudo access
- Minimum 1GB RAM and 2GB storage space
- FIDO2-compatible hardware security key (YubiKey 5 series, SoloKey, or similar)
- Local machine with SSH client and web browser
- Active internet connection for package installation
- Backup SSH access method (password or existing key pair) for recovery
Warning: Always maintain a backup authentication method until you’ve thoroughly tested FIDO2 SSH access. Losing access to your hardware key without backup could lock you out permanently.
Step-by-Step Tutorial
Step 1: Update System and Install Prerequisites
Connect to your Ubuntu 24.04 VPS and update the system packages:
sudo apt update && sudo apt upgrade -y
sudo apt install libpam-u2f pamu2fcfg -yThe libpam-u2f package provides PAM module support for U2F/FIDO2 authentication, while pamu2fcfg helps configure your hardware keys.
Step 2: Configure Your Hardware Security Key
Insert your YubiKey or FIDO2 device into your local machine and create the U2F configuration. On your local computer (not the VPS), run:
# Install required tools locally
sudo apt install libpam-u2f pamu2fcfg -y
# Generate U2F key mapping
pamu2fcfg -u $(whoami) > ~/u2f_keysTouch your hardware key when prompted. The command generates a unique key handle and public key for your device.
Step 3: Transfer Configuration to VPS
Copy the generated U2F configuration to your VPS. First, display the content:
cat ~/u2f_keysThe output should look similar to:
username:abcdef123456...,04a1b2c3d4e5f6...On your VPS, create the U2F configuration directory and file:
sudo mkdir -p /etc/u2f_mappings
sudo nano /etc/u2f_mappings/u2f_keysPaste the configuration line from your local machine, ensuring the username matches your VPS user account.
Step 4: Configure PAM Authentication
Modify the SSH PAM configuration to enable multi-factor authentication:
sudo nano /etc/pam.d/sshdAdd the following line after the @include common-auth line:
auth required pam_u2f.so authfile=/etc/u2f_mappings/u2f_keys cueThe cue parameter provides visual feedback prompting users to touch their hardware key.
Step 5: Configure SSH Daemon
Edit the SSH configuration to enable challenge-response authentication:
sudo nano /etc/ssh/sshd_configModify or add these configurations:
ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes
AuthenticationMethods publickey,keyboard-interactiveThis configuration requires both SSH key authentication and FIDO2 hardware verification.
Step 6: Setup SSH Key Pair
Generate an SSH key pair on your local machine if you haven’t already:
ssh-keygen -t ed25519 -C "[email protected]"
ssh-copy-id username@your-vps-ipThe Ed25519 algorithm provides excellent security with compact key sizes, perfect for cryptographic authentication workflows.
Step 7: Restart SSH Service
Apply the configuration changes:
sudo systemctl restart sshd
sudo systemctl status sshdVerify the service restarted without errors before proceeding.
Step 8: Test FIDO2 Authentication
Open a new terminal session (keeping your current session active as backup) and test the connection:
ssh username@your-vps-ipYou should see a prompt like:
Please touch the device now.Touch your YubiKey or FIDO2 device to complete authentication. Successful login confirms your passwordless SSH setup is working correctly.
Best Practices
Security Considerations
- Backup Keys: Register multiple FIDO2 devices to prevent lockout if one is lost or damaged
- Recovery Access: Maintain console or out-of-band access through your VPS provider’s control panel
- Key Rotation: Regularly update SSH keys and re-register hardware devices
- Monitoring: Enable SSH logging to track authentication attempts and successful logins
Performance Optimization
For high-traffic environments, consider these optimizations:
- Use
notouchparameter in PAM configuration for automated systems - Implement connection multiplexing for frequent SSH sessions
- Configure appropriate SSH timeout values to balance security and usability
Troubleshooting Tips
Common issues and solutions:
- Device not recognized: Ensure proper udev rules for your FIDO2 device
- PAM authentication fails: Check file permissions on
/etc/u2f_mappings/u2f_keys - SSH connection refused: Verify SSH daemon configuration syntax with
sshd -t
Conclusion
Implementing FIDO2/YubiKey authentication on your Ubuntu 24.04 VPS significantly enhances security while maintaining user convenience. This hardware-based authentication method provides strong protection against credential theft, phishing attacks, and unauthorized access attempts.
The combination of SSH public key cryptography and FIDO2 hardware verification creates a robust multi-factor authentication system that’s both secure and user-friendly. As cyber threats continue evolving, adopting advanced authentication methods becomes increasingly crucial for protecting your infrastructure.
For optimal security and performance, consider deploying this setup on high-performance VPS infrastructure that supports advanced security features. Modern cloud platforms offering AMD SEV-SNP security enhancements can further strengthen your overall security posture when combined with FIDO2 authentication.
Ready to implement enterprise-grade security on your own VPS? Explore Onidel’s high-performance cloud solutions designed for security-conscious organizations requiring reliable, scalable infrastructure.
