Secure SSH Login with Thales SafeNet eToken FIDO on Linux
Step-by-step guide to setting up SSH authentication using a FIDO2 hardware token.
π»π βTouch it like you mean it β your USB key, that is!β
This page walks you through configuring passwordless SSH login on Linux using the Thales SafeNet eToken FIDO. Learn how to detect the device, generate FIDO2 SSH keys, and authenticate securely with a simple tap of your hardware token.
SSH Authentication with Thales SafeNet eToken FIDO on Linux
List connected USB devices to confirm the token is recognized.
lsusb
Bus 001 Device 002: ID 08e6:34d1 Gemalto (was Gemplus) eToken Fido
Generate a new SSH key using ecdsa-sk.
ssh-keygen -t ecdsa-sk -C "Myuser"
Generate the SSH key using the
-O resident option so that the key is stored in the token.ssh-keygen -t ecdsa-sk -O resident -C "Myuser"
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Recover the key stored on the FIDO token in case you lose it locally.
ssh-keygen -K
Enter PIN for authenticator:
Saved ECDSA-SK key to /home/user/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/home/user/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Verify the generated keys exist in the .ssh directory.
ls .ssh -ltr
-rw-r--r-- 1 User User 213 Jul 26 12:40 id_ecdsa_sk.pub
-rw------- 1 User User 785 Jul 26 12:40 id_ecdsa_sk
Copy the public key to the remote SSH server.
ssh-copy-id -i ~/.ssh/id_ecdsa_sk.pub otherPC@IP
Confirm user presence for key ECDSA-SK SHA256:3C1PDR1as5XhK0ow5JlBrpCO4TMpLlq3Ibsadas23
User presence confirmed
SSh into the remote SSH server.
ssh otherPC@IP
Confirm user presence for key ECDSA-SK SHA256:3C1PDR8SAcwSuVXhK0ow5JlBasdasd121asdCSA (touch the token) User presence confirmed Welcome to Ubuntu 24.04.2 LTS (GNU/Linux 6.14.2-surface-1 x86_64)