🔑 Using Secure Keys for GitHub SSH Operations

In this post on using FIDO U2F for GitHub SSH we see how you can set up secure keys for pushing code update to your GitHub repositories. git offers version tracking and assists collaboration on coding projects. GitHub is currently the best know service offering git repo hosting. The recent rise of the JAMStack and other trends have made committing code to a git service an essential stage in the continuous integration process.

Authentication technology has also moved on as signing in with SSH passwords got replaced with using PGP keys. Taking it a step further, you can now use FIDO U2F secure keys to authenticate SSH transactions. The added security advantage is that the USB key has to be with you physically when you commit. In this post we look at how you can set up secure keys for GitHub and also some SSH configuration settings. I hope this is something you will find useful.

😕 What is FIDO U2F?

FIDO U2F keys are hardware tokens used in Multifactor authentication. Like 2FA authenticator app codes, they offer second factor authentication (2FA) though FIDO U2F keys are less susceptible to phishing attacks than those authenticator app codes. As an example of when you might use FIDO U2F keys, you can harden your Twitter, gmail and Facebook or even GitHub account by enabling FIDO U2F and using that as your preferred login method. Typically you plug in the USB key as you log in and have to tap it to complete the login. We'll see here how using FIDO U2F for GitHub SSH can secure your push and fetch operations.

⚙️ How to Create an SSH Secure Key for GitHub

1. You can use an existing FIDO U2F key but if you don't yet own one you will need to buy one. YubiKey make a number of keys some of them much more expensive than others. The basic and relatively inexpensive Security Key models are fine to use here. You can also use other brands.

2. Check you have a compatible version of OpenSSH installed by running the command:

   ssh -V
   

   You will need version 8.2 or higher. On macOS you can install openssh with Homebrew to get the latest version, try installing with a package manager for your operating system if you are not running macOS. You may also need to install libfido2:

   brew install openssh libfido2
   

3. Place your FIDO U2F key in a free USB port and type the following command to start the one-time setup:

   ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_github_$(date +%Y-%m-%d) -C "Github key"
   

   You will need to touch your FIDO U2F key when it starts flashing. After, when prompted, type in a password. You can now remove the USB key. We are using an ECDSA type key here as these are compatible with more keys. Some prefer to use ed25519-sk in place of ecdsa-sk above because of association of ECDSA keys with government agencies. Your own choice will depend on your threat model as well as what your own key supports.

4. Log in to GitHub, click your avatar in the top right and select Settings. Then from the menu on the left select SSH and GPG keys then click the New SSH key button.

5. In the new screen that appears, enter something to help you identify your key in the Title, you might want to use the filename for your public key. Next get the public key by typing the following command in the Terminal:

   cat ~/.ssh/id_ecdsa_github_$(date +%Y-%m-%d).pub
   

   You can copy the entire output (which will start sk-ecdsa and end with the key description Github key). Paste this in the Key text box in the GitHub console. Then click the Add SSH key button.

6. Finally let's test the new key. Place the FIDO U2F key into a free USB port and run the test command:

   ssh -T github.com
   

   When prompted enter your password (this is the password you entered as you created the key). Then, just like when you created the new SSH key, the FIDO U2F key will start flashing, touch it to confirm your presence. If all is well, you will see a message like this one:

Hi rodneylab! You've successfully authenticated, but GitHub does not provide shell access.

When you are ready to, you can remove any existing SSH keys which you may no longer need.

Finishing Off

For some best practices on SSH client keys see the Mozilla guide.

🔨 SSH Config

Since we are hardening the login method, we can also harden SSH configuration. I based this configuration off Dr Duh's configuration.

# https://github.com/drduh/config/blob/master/ssh_config
# https://linux.die.net/man/5/ssh_config
Host github.com
  User git
  ControlMaster no
  IdentitiesOnly yes
  IdentityFile ~/.ssh/id_ecdsa_github_YYYY-mm-dd
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Host *
  AddressFamily inet
  HashKnownHosts yes
  VisualHostKey yes
  PasswordAuthentication no
  ChallengeResponseAuthentication no
  StrictHostKeyChecking ask
  VerifyHostKeyDNS yes
  ForwardAgent no
  ForwardX11 no
  ForwardX11Trusted no
  ServerAliveInterval 300
  ServerAliveCountMax 2
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
  KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
  HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa

This prefers IPv4 connections over IPv6, disables password login as well as some other hardening measures such as limiting the allowed encryption ciphers and message authentication algorithms. Be sure to update the path to you GitHub key in line 7 to match the path of the key you just created. The settings in lines 3–8 apply just to GitHub SSH connections. The remaining ones apply to any other SSH connection, so these may need tweaking to work with any other services you use. Be sure to test all connections with this new configuration.

🙌🏽 Using FIDO U2F for GitHub SSH: What we Learned

In this post we looked at:

• why you would want to use a FIDO U2F key for GitHub SSH operations,

• how to create an SSH secure key for GitHub,

• a hardened SSH configuration.

I do hope there is at least one thing in this article which you can use in your work. You may also want to see GitHub's own documentation on setting up secure SSH keys.

🙏🏽 Using FIDO U2F for GitHub SSH: Feedback

Have you found the post useful? Would you prefer to see posts on another topic instead? Get in touch with ideas for new posts. Also if you like my writing style, get in touch if I can write some posts for your company site on a consultancy basis. Read on to find ways to get in touch, further below. If you want to support posts similar to this one and can spare a few dollars, euros or pounds, please consider supporting me through Buy me a Coffee.

Finally, feel free to share the post on your social media accounts for all your followers who will find it useful. As well as leaving a comment below, you can get in touch via @askRodney on Twitter and also askRodney on Telegram. Also, see further ways to get in touch with Rodney Lab. I post regularly on SvelteKit as well as security-related topics. Also subscribe to the newsletter to keep up-to-date with our latest projects.