Using FIDO2 for SSH authentication Using FIDO2 for SSH authentication
  1. Support Portal
  2. Knowledge Base
  3. Using Termius

Using FIDO2 for SSH authentication

Eugene Oskin Eugene Oskin

Desktop Termius app from 7.41.2 version and the iOS Termius app from 4.13.9 version allow authenticating using ed25519-sk and ecdsa-sk SSH keys, that is using FIDO2 hardware authenticators such as YubiKey, Solo, or OnlyKey.

fido2-discoverable-connections.gif

With this type of authentication, SSH keys are generated by a hardware device. When connecting using such a hardware-generated key, you'll be asked to touch the device and / or provide PIN. Some authenticators allow you to store a copy of the key on the authenticator itself.

Any FIDO2 keys that are stored locally need be imported to Termius for you to be able to use them and then attached to hosts. A key stored on the authenticator can be imported if desired. You may want to import it to avoid selecting the key during a connection or for security reasons.

Starting with 7.44.0, Desktop Termius allows generating FIDO2 keys.

Termius supports only the FIDO 2.0 (CTAP 2) protocol.

Support for FIDO2 keys has been tested on a limited number of devices, so, if you're facing connection issues, please, send us an email including the name of your authenticator.

Important: This type of authentication requires OpenSSH 8.2 or higher to be installed on the server.

Note: You can find more info about FIDO2-based authentication here. (See 'FIDO2 resident keys'.)

Note: FIDO2-based authentication is not available in the Starter (free) plan.

Requirements

💻 Desktop
📱 iOS
📱 Android

Make sure you grant Termius access to USB, when / if the OS asks that you do so.

Linux requires adding a udev rule for you to be able to access FIDO devices, similar to this one:

#udev rule for allowing HID access to Yubico devices for FIDO support.
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \
  MODE="0664", GROUP="plugdev", ATTRS{idVendor}=="1050"

On Windows, to be able to import a key stored on an authenticator or connect using one you must be running Termius as administrator. It may also be necessary to install authenticator device drivers. Please, search for the drivers on the vendor's website, e.g. Yubikey smart card driver.

Any FIDO2 device that can be connected to an iPhone or iPad via USB-C, NFC, or lightning. SSH key generated with ssh-keygen supported only for NFC and lightning.

Import a FIDO2 key

FIDO2 keys stored locally can be imported in the same way other keys are imported.

To import a FIDO2 key from an authenticator:

  1. Plug in your authenticator device.
  2. In Preferences, choose Keychain.
  3. Click + New hardware key, then Import FIDO2 key.
  4. Select a FIDO2 authenticator from the list.
  5. Enter the PIN code.
  6. (Optionally) in the Set a label... field, provide a name for the key.
  7. Select the key(s) you'd like to import.
  8. Click Continue.

To use an imported FIDO2 key, you'll need to link it with your Termius host in its properties.

Generate a FIDO2 key

When generating a key, you'll be asked if you want to upload the key to the authenticator. If you choose to do so, two copies of the key will be created: one will be stored on the device, and the second will be saved in Termius.

Note: YubiKey with firmware below 5.2.3 are not compatible with ed25519-sk keys.

To generate a FIDO2 key in Termius:

  1. Plug in the authenticator.
  2. In Preferences, choose Keychain, then + New hardware key and Generate FIDO2 key.
  3. (Optionally) in the Set a label... field, provide a name for the key.
  4. Select the type of key you want to generate: ecdsa-sk or ed25519-sk.
  5. To disable presence verification (via touch), uncheck Require user presence. It is possible to disable presence verification only for locally stored keys.
  6. To enable PIN verification, check Require PIN code.
  7. To place the key on your device, check Store on device.

    Note: This option can be unavailable if you haven't set a PIN code on your FIDO2 device. To learn more about pin codes and YubiKey, please, take a look at this article.

  8. If you're using the 'Store on device' option, provide a user id. It will appear next to the key in the list of keys that will be displayed, when you are connecting to a server.

    Important: It is not possible to store two keys with the same user id and of the same key type on one device. Any previously created duplicate will be rewritten.

  9. Specify the other parameters and click Generate.
    fido2-keygen-store-on-device-1.gif

Connect using a FIDO2 key on Desktop and Mobile

If you've imported your FIDO2 key, attach the key to the host you want to connect to. During the connection, you may be asked to touch the device and provide PIN, depending on the parameters of the key.

💻 Desktop
📱 iOS
📱 Android

Connecting using a key stored on the authenticator is possible only if no other methods except public key authentication is allowed on the server. If you're going to connect using a key stored on your authenticator, make sure no key is attached to the host (entry) in question and then connect.

fido2-discoverable-connections.gif

iPhone_FIDO2.gif

To confirm user presence, please bring your NFC key to your iOS device or insert and touch your USB-C FIDO2 device or Yubikey 5Ci.

 

Android app with version 6.1.1 and higher supports FIDO2 key authentication. Previously generated keys or FIDO2 keys generated with OpenSSH are not supported due to Android restrictions. Please generate a new key in the Android app with version 6.1.1 and newer or in the Desktop app with version 8.9.9 or newer.

Was this article helpful?

17 out of 51 found this helpful

Related articles

Articles in this section

Add comment

Please sign in to leave a comment.

Comments

4 comments

Sort by
  • Jimmy2500

    It is possible to specify a different FIDO key for a remote host based on the Termius device being used? E.g. Different Yubikey for Termius on Mac, and Termius on Windows? 

    Right now the the only way to achieve this is to create multiple host entries (for the same remote host) for each Termius device, specifying a different identity for each. 

    Jimmy2500
    0
  • Anonymous

    When it will be available to Android users? There's already support for resident keys in Android.

    Anonymous
    0
  • Lucas Tiberti

    As far as I have been able figure out so far, this article is misleading and Termius's current implementation FIDO2 Windows in not particularly sound.  Currently the only option that is available on Windows is to "Generate" FIDO2 keys.  What this appears to mean is that Termius (not the FIDO authenticator)  generates a public and private key, then loads the private key onto the FIDO authenticator and keeps a copy of the private key on file in Termius.  I have not tried but I would not be surprised if you could copy this private key and login with OpenSSH client and not require the hardware authenticator. 

    The "Import FIDO2 keys" option in the Termius Keychain settings does not work.  Here is a reference article on how OpenSSH is set up to use FIDO2 and hardware authenticators.  https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html   The private key is generated on the hardware authenticator and two files are output by ssh-keygen; a public key and a "reference" key pointing to the private key on the hardware authenticator. 

     

    Lucas Tiberti
    0
  • Leandro Peracchi

    There isn't a "New hardware key" on Termius for Android.

    So, isn't possible "Click + New hardware key, then Import FIDO2 key" to use Termius on Android with a YubiKey.

    You should state that Termius only "works" on macOS and iOS because on other OSs (Windows, Linux and Android) several bugs and problems (with more than a year open) prevent full use of Termius.

    Leandro Peracchi
    1