OpenSSH FIDO/U2F vs GPG: Security & Convenience

TL;DR

OpenSSH’s built-in FIDO/U2F support is generally more secure and easier to use than relying on GPG for SSH key authentication. It avoids the complexities of managing GPG agents, offers better phishing protection, and integrates seamlessly with modern hardware security keys.

Why Use Hardware Security Keys?

Hardware security keys (like YubiKeys) provide a stronger form of two-factor authentication than passwords alone. They protect your SSH private key from being stolen even if your computer is compromised.

1. Understanding the Options: GPG vs FIDO/U2F

1. GPG (GNU Privacy Guard): Traditionally, GPG has been used for SSH authentication by storing the private key on a smartcard managed by GPG. This requires configuring a GPG agent to unlock the key during SSH connections.
2. OpenSSH FIDO/U2F: OpenSSH directly supports FIDO/U2F (Fast Identity Online / Universal 2nd Factor) and WebAuthn standards, allowing you to use hardware security keys without needing a separate GPG agent.

2. Security Advantages of OpenSSH FIDO/U2F

1. Phishing Resistance: FIDO/U2F is designed to be phishing-resistant. The key only responds to authentication requests from the legitimate server you’re connecting to, preventing attackers from tricking your key with fake servers. GPG can be vulnerable to certain man-in-the-middle attacks if not configured carefully.
2. Simpler Key Management: Managing SSH keys with OpenSSH FIDO/U2F is much simpler than managing GPG keys and agents. You don’t need to worry about PIN caching, agent forwarding issues, or complex configuration files.
3. Reduced Attack Surface: By removing the dependency on a GPG agent, you reduce the overall attack surface of your system. The GPG agent can be a target for attackers.

3. Setting up OpenSSH FIDO/U2F

1. Check OpenSSH Version: Ensure you’re using OpenSSH 8.2 or later, as this is when native FIDO/U2F support was added. You can check your version with:

   ssh -V

2. Register Your Key: Use the ssh-keygen command to register your security key.

   ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_fido -O publiconly

   Follow the prompts. You’ll likely need to touch your security key during this process. The `-O publiconly` option creates a key that can only be used for authentication, not signing.

3. Add Key to authorized_keys: Copy the public key (~/.ssh/id_ed25519_fido.pub) to the ~/.ssh/authorized_keys file on your server.

   cat ~/.ssh/id_ed25519_fido.pub | ssh user@server 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys'

4. Test the Connection: Try connecting to your server.

   ssh user@server

   You should be prompted to touch your security key to authenticate.

4. Configuring OpenSSH for FIDO/U2F (Optional)

You can configure OpenSSH to prefer FIDO/U2F authentication methods in your ~/.ssh/config file.

Host *
  PubkeyAuthentication yes
  PreferredAuthentications publickey,keyboard-interactive,password

5. GPG Considerations

1. Complexity: Setting up and maintaining GPG for SSH authentication can be complex, especially if you’re not familiar with GPG concepts like agents, keyrings, and PIN caching.
2. Agent Management: You need to ensure your GPG agent is running and properly configured to unlock the key during SSH connections. This can be problematic in automated environments or when using multiple computers.

6. Conclusion

OpenSSH FIDO/U2F offers a more secure, convenient, and user-friendly way to use hardware security keys for SSH authentication compared to GPG. It’s the recommended approach for most users looking to improve their cybersecurity posture.