Yubikeys, FIDO2 and WSL

Windows Subsystem for Linux (WSL), especially its second iteration (WSL2), offers a seamless way to run Linux distributions directly within Windows. This brings the familiar Linux environment and its powerful tools right to your fingertips, eliminating the need for dual booting or virtual machines. With WSL2, developers gain a convenient and integrated platform, boosting their productivity and streamlining their workflow.

One downside of WSL is lack of native USB-Forwarding capabilities. Currently, USB forwarding can be achieved following this official document, which instructs to setup another open source project. My personal experience with this approach was not great.

As a Cyber Security Engineer working on enhancing incident response capabilities, implementing proactive measures and automations, my daily work requires Linux, Windows, Mac environments in addition to SSH and GIT. I personally use and promote Yubikeys. I was using OpenPGP interface on Yubikey for safely storing generated private key and for encryption/signing. This interface requires tedious setup on hosts (different in each OS) and was not stable.

All these brings us to our solution: FIDO2 interface on Yubikeys and configuring WSL to utilize!. FIDO2 (Fast Identity Online 2) focuses on authentication for online services. It is supported on most modern Yubikey models. As GIT also allows SSH keys to be used for GIT Signing operations, FIDO2 keys can be used for both SSH and GIT!

Setup

Instructions below will refer to 3 SSH instances:

• Windows SSH Client;
• WSL (Linux) SSH Client;
• Remote SSH Server.

⚠️ This post assumes you enabled FIDO2 interface and generated keys with Yubikey.

Steps

1. SSH versions on all environments (Windows, WSL, Remote) should be higher than OpenSSH 8.3;

2. [WINDOWS] Latest version for SSH client should be downloaded from either:

   • Win32-OpenSSH Releases
   • https://github.com/PowerShell/openssh-portable

3. [WSL] Update SSH client by either:

   • Download source files and build;
   • Install brew and use

     brew install openssh
     

4. [WSL] After updating SSH client, add this environment variable to use the Yubikey from Windows host. Add this to ~/.bashrc, ~/.zshrc or /etc/profile for persistence. You can source the file after appending this or re-establish session to activate the environment variable:

   export SSH_SK_HELPER="/mnt/c/Program Files/OpenSSH/ssh-sk-helper.exe"
   

5. [WSL] Keys generated for FIDO2 interface should be available in ~/.ssh/;

   • Set proper permissions on ~/.ssh/ folder and private, public keys.

6. [WSL] Set GIT to use SSH keys for signing:

   git config --global gpg.format ssh
   

7. [WSL] Set GIT to use SSH key. Change [KEY_FILE_NAME] with your key path:

   git config --global user.signingKey ~/.ssh/[KEY_FILE_NAME]
   

8. [WSL] Test all with trying to connect a server which has your public key.

   

References

• https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html
• https://developers.yubico.com/SSH/Securing_git_with_SSH_and_FIDO2.html
• Blog image generated by Microsoft Copilot