Thoughts on increasing ssh security using a hardware security key

I have been using hardware security keys (including YubiKeys and Titan keys) for FIDO2 and TOTP for a while, but not for ssh.

At the moment, I harden the ssh config on my servers, lock down access by IP address, and use password-protected certificates for authentication, blocking password-based authentication.

So I think that I do at least reasonably well as it is.

But I was interested to see if I could introduce a further aspect of security for ssh, using a security key.

My security keys support the generation of both resident and non-resident keys. Resident keys are stored on a slot on the YubiKey, while non-resident keys are stored on the client computer, but require the YubiKey.

I picked non-resident.

I set a passphrase as part of the ssh-keygen process, so, when it comes to using that key, I need to enter that passphrase and insert and touch the security key.

So now someone would need:

• to be connected to the correct network
• to have a copy of my private key
• to know the passphrase for that private key
• to have one of my security keys (my main security key, and my backup security key)

I can, I think, add a PIN to the YubiKey but, to date, I have not done this. Perhaps I should.

Honestly, I was probably fine without this, but, well, I had the security keys, so why not.

But, while this works fine from my laptop, I can’t get it to work on my phone (GrapheneOS).

At the moment, I use Termux, and from there, I can ssh in to my servers. But I can’t get Termux to use my *-sk keypair.

There is a six year old issue in the Termux Github repo which indicates that it might, some point, be coming, and that would be welcome.

Apparently it can be done using a closed source tool, but since I’m only looking to use FOSS, that’s not on the cards for me.

So that is a bit of a pain, as it is convenient to be able to log in from my phone from time to time.