Recently, it was announced that after August 13, 2021, GitHub will no longer accept account passwords when authenticating Git operations, and will require the use of strong authentication factors, such as a personal access token, SSH key (for developers), OAuth, or GitHub App installation token.
They also announced in May 2021 that SSH authentication for Git operations now supports FIDO security keys instead of the traditional public/private key pair. (Security keys are now supported for SSH Git operations | The GitHub Blog)
During SSH key generation, the private key is stored in the security key, not on the PC. And when authenticated, will require the key to be touched.
In other words, one can use the same YubiKey for both GitHub web services and Git operations for two-factor authentication.
To set up two-factor authentication for GitHub's web services, read Setting Up YubiKey Two-Factor Authentication on GitHub (yubion.com).
This article will cover SSH access to Git using YubiKey.
Environment:
OS: Windows
Security Key by Yubico with NFC
Key Generation:
SSH key pair generation and use are very similar to the previous method.
1. Plug the YubiKey into the USB port.
2. Open Git Bash as an administrator.
(Windows requires administrator privileges to access FIDO2 security.)
3. Type the following command to generate an SSH key.
Enter the following command to generate an SSH key, where "sk" is the security key.
$ ssh-keygen -t ed25519-sk -C "your_email@example.com"
Note: If the command fails and you receive an "invalid format" or "feature not supported" error, you may be using a security key that does not support ed25519. Try ecdsa instead of ed25519.
The Security Key by Yubico with NFC firmware used this time is 5.1.2, so it cannot generate ed25519 keys, so instead ecdsa keys are generated.
To use the Ed25519 key, please use YubiKey firmware 5.2.3 or later.
Checking YubiKey Firmware with YubiKey Manager
4. Enter the FIDO2 PIN for the YubiKey and touch the key.
5. When "Enter a file in which to save the key" is displayed, press Enter to save the public key to the default file location.
6. Create a password for the public key file.
Example of SSH Key Generation
Adding a new SSH key to the GitHub account:
Once the SSH key is generated, add the new key to the account as with any other SSH key. To add an SSH key to the GitHub.com site, follow these steps:
Copy the SSH public key from the "id_ecdsa_sk.pub" file you generated earlier.
Go to GitHub.com, open the settings page, go to the "SSH and GPG Keys page," and paste the copied public key into the new key and add it.
Example of Adding SSH Key
SSH access confirmation:
1. Plug YubiKey into the USB port.
2. Open Git Bash as an administrator.
(Windows requires administrator privileges to access FIDO2 security.)
3. Verify SSH key access by entering the following command
$ ssh -T git@github.com 4. Enter the password for the public key file and touch YubiKey.
Example of Confirmation of SSH Access
When the above image is displayed, the setting up of SSH access using the FIDO security key is complete.
Conclusion:
This article introduced SSH access for Git using YubiKey to guide users on storing their private key in a hardware security key and operating a simple, secure two-factor authentication.
However, there are a few things to keep in mind:
1. The FIDO2 PIN is only required for SSH key generation.
Also, using a FIDO2 PIN requires a PIN setting as a prerequisite.
For FIDO2 security keys that have not yet been set with a PIN or FIDO U2F only keys, the PIN authentication step is eliminated, and only key touch is performed.
2. FIDO2 biometric authentication is not yet supported.