OpenSSH recently introduced support for ECDSA keys (and Ed25519) on external dongles. I own a solo key. I wanted to try it, but the majority of the machines I have access to over ssh do not yet support this feature (as far as I get, the server version must be >= 8.2).
I created a docker image to allow me to test this feature. First I created the keypair:
ssh-keygen -t ecdsa-sk -f ~/.ssh/my_ecdsa_sk
I am prompt first to touch the dongle, then to insert a passphrase to secure the key.
I used this Dockerfile
FROM debian:sid
ARG uid=1000
ARG gid=1000
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install --no-install-recommends -y openssh-server \
&& sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin without-password/g' /etc/ssh/sshd_config \
&& mkdir /run/sshd \
&& groupadd -g ${gid} uzer \
&& useradd -u ${uid} -g ${gid} -m -d /uzer uzer \
&& mkdir /uzer/.ssh \
&& chown uzer:uzer /uzer/.ssh \
&& chmod 700 /uzer/.ssh \
&& rm -rf /var/lib/apt/lists/*
COPY --chown=uzer:uzer key.pub /uzer/.ssh/authorized_keys
COPY entrypoint /entrypoint
EXPOSE 22
ENTRYPOINT ["/entrypoint"]
CMD [""]
with this entrypoint
#!/bin/sh
exit_all() {
kill $(cat /var/run/sshd.pid)
exit 0
}
trap exit_all INT TERM
/usr/sbin/sshd -E /var/log/sshd.log
tail -f /var/log/sshd.log
Then I build the image (first copying my newly generate public key to the root of the directory where these files are, naming it key.pub)
docker build -t sshd-sk:0.1 .
and launch a container from it:
docker run --rm -p 10022:22 sshd-sk:0.1
At last, I am able to connect
ssh -i ~/.ssh/my_ecdsa_sk uzer@localhost
I am prompt first to provide the passphrase, then to touch the dongle
Enter passphrase for key '/home/me/.ssh/id_ecdsa_sk': Confirm user presence for key ECDSA-SK SHA256:CENSORED Linux ddcb668dd8b3 5.7.4-arch1-1 #1 SMP PREEMPT Thu, 18 Jun 2020 16:01:07 +0000 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. $
Next step is to experiment with the resident key thing, that should enable one to carry around only the dongle.