From 759fd06565a69b03d6706aed9d1c87be486ab63c Mon Sep 17 00:00:00 2001 From: Andrii Pidnebesny <58984788+AnDroed09@users.noreply.github.com> Date: Tue, 20 Jan 2026 17:28:47 +0200 Subject: ssh: T7483: Document fido2 add examples pair fido key with the VyOS (#1738) * Update ssh add fido example.rst * remove useless "$" ssh.rst * add generation example ssh.rst * add generation example ssh.rst --- docs/configuration/service/ssh.rst | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'docs') diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 4bb5af95..98bce691 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -68,6 +68,26 @@ Configuration Require FIDO2 keys to attest that a user is physically present. + VyOS supports SSH authentication using FIDO2-backed keys generated by OpenSSH. + Two FIDO2 key types are supported by OpenSSH: ``ed25519-sk``, ``ecdsa-sk`` + + Generic FIDO2-backed SSH key generation example: + .. code-block:: none + ssh-keygen -t ecdsa-sk -O verify-required -C "fido2-ssh-key" + During key generation, OpenSSH will: + * Request user presence (for example, a physical touch or confirmation) + * Optionally request user verification (PIN), if supported by the authenticator + * Create a local key handle file and a corresponding public key (``.pub``) + The private key material never leaves the authenticator device. + + VyOS configuration example: + .. code-block:: none + # Generate a FIDO2 SSH key on the client system + # Copy the public key to the VyOS instance + set system login user vyos authentication public-keys fido key '' + set system login user vyos authentication public-keys fido type 'sk-ecdsa-sha2-nistp256@openssh.com' + set service ssh fido touch-required + You can now log into the system using: ``ssh -i ~/.ssh/id_fido_key vyos@192.0.2.1`` .. cfgcmd:: set service ssh disable-host-validation Disable the host validation through reverse DNS lookups - can speedup login -- cgit v1.2.3