Using FIDO2/SK Keys with ZOC Terminal on Windows for Access to Linux Servers

Table of Contents

• Introduction
• Prerequisites
• Creating an OpenSSH SK/FIDO2 Key using ZOC
• Prepare the Linux Account to Accept the Key as Authentication
• Logging Into Your Linux Server Using Public/Private Key
• We Did It, Yay!

Introduction

Since OpenSSH version 8.3 SSH servers support public/private key logins based on FIDO2 hardware keys like Yubikey 5-NFC or Yubikey BIO (Fido).

This article will show how to use ZOC Terminal to create a FIDO2 key pair and how to set up a new or existing Linux shell account to use these for login.

Prerequisites

• ZOC Terminal v9.0 or higher
• a FIDO2 compatible hardware token (e.g. a Yubikey 5 NFC)

If you have not done this already, you need to initialize the Yubikey for use with the FIDO2 protocol (in most cases it will require you to configure a PIN that protects the key):

• Download either Yubico-Authenticator and install it.
• Start the Yubico-Authenticator or Yubikey-Manager (under Windows you need to start it via right-click→As Administrator).
• Depending on the type of key select Applications→FIDO and set a PIN (or even a fingerprint).

Creating an OpenSSH SK/FIDO2 Key using ZOC

You can use ZOC Terminal to create an SSH-key that is linked to the Yubikey (or other FIDO2 token) and obtain the corresponding OpenSSH sk-file:

• Start ZOC Terminal
• Open the Tools-menu
• Choose Generate SSH Public/Private Key
• Select ECDSA-SK (FIDO2)
• Enter something in app field that identifies the intended use, e.g. the name of the server, e.g. ssh:zoc (the app needs to start with ssh: though).
• Optionally choose a passphrase
• Click Create public/private key files

This will create OpenSSH compatible key files in ZOC's SSH folder. The key will be a token-based non non-resident key (meaning it is based on the Yubikey but there will be no copy stored on the hardware). Also, the key will not require you to enter the token's PIN each time you use it, but it will require you to physically touch the device and you will need to enter the passphrase if you set one.

If you want more control over the options of the key creation, see our article about ssh-keygen.

Prepare the Linux Account to Accept the Key as Authentication

Copy the Public-Key to the Clipboard

• From ZOC Terminal's Tools-menu choose Copy SSH Public-Key to Clipboard
• Choose the id_ecdsa_sk.pub file (not the one without the .pub file type) and click Open
• Click Close on the message that shows the public key

Add the Public-Key to the Account

The next step depends on who creates your Linux account:

If you have a service provider who creates the account for you and who asked for your public key, simply send or email him the public key data that you copied to the clipboard.

If you already have access to your Linux shell account via password authentication, login to the account and enter the following command:

echo xxxxxxxxxx >> ~/.ssh/authorized_keys
(instead of xxxxx, choose Edit-menu→Paste to paste the public key, which you put to the clipboard in the last step, into the command)

Logging Into Your Linux Server Using Public/Private Key

• Start ZOC and select File-menu → Quick-Connect (or use this window if it automatically opens after starting ZOC)
• Enter or select the following values:
  • Connect-To: (paste your servers's name or ip address)
  • Connection-Type: Secure Shell
  • Emulation: xterm
  • Username: (your username)
  • click on Select Key... and Private Key and choose the id_ecdsa_sk file (this time use the one without the .pub extension, i.e. not the id_ecdsa-sk.pub file)
• Click Connect

We Did It, Yay!

If you created the private key using a passphrase, a window will pop up to ask you for that. Also, depending on the key, a window may also pop up or a message may appear on your screen, that will ask you to enter the PIN and physcially touch your key.

After a moment should see a connection screen that shows the connection proceeding and eventually you will see the familiar $-prompt.

Now you are logged into the Linux using your public/private key pair.