Using FIDO2/SK Keys with ZOC Terminal on Windows for Access to Linux Servers

Table of Contents

• Introduction
• Prerequisites
• Create an OpenSSH SK/FIDO2 Key using ZOC
• Create an OpenSSH SK/FIDO2 Key using Commandline Tools
• Prepare the Linux Account to Accept the Key as Authentication
• Logging Into Your Linux Server Using Public/Private Key
• We Did It, Yay!
• Why ZOC Terminal is a Better Alternative for these Tasks Compared to PuTTY

Introduction

Since OpenSSH version 8.3 SSH servers support public/private key logins based on FIDO2 hardware keys like Yubikey.

This article will show how to use ZOC Terminal to create a FIDO2 key pair and how to set up a new or existing Linux shell account to use these for login.

Setting up a Linux server will always require some work on the Linux shell. This article will explain basic tasks with ZOC Terminal. If you don't have ZOC Terminal installed already, you can download it here. There will be a free trial with all features enabled, no ads for 30 days of actual use (i.e. if you use the program only once a week, the trial will last you for half a year).

Prerequisites

• ZOC Terminal v9.0 or higher
• a FIDO2 compatible hardware token (e.g. a Yubikey 5 NFC)

If you have not done this already, First you need to initialize the Yubikey for use with the FIDO2 protocol it will configure a PIN that protects the key:

• Download Yubikey-Manager and install it.
• Start the Yubikey-Manager (under Windows you need to start it via right-click→As Administrator).
• Select Applications→FIDO
• Set a PIN

Create an OpenSSH SK/FIDO2 Key using ZOC

You can use ZOC Terminal to create an SSH-key that is linked to the Yubikey (or other FIDO2 token) and obtain the corresponding OpenSSH sk-file:

• Start ZOC Terminal
• Open the Tools-menu
• Choose Generate SSH Public/Private Key
• Select ECDSA-SK (FIDO2)
• Enter your username for the host and leave the app field at ssh:zoc
  Note: The username and application identify the key. You can create multiple (different) keys on the FIDO2 token, by giving them a different combination of username and application.
• Optionally choose a passphrase
• Click Create public/private key files

Create an OpenSSH SK/FIDO2 Key using Commandline Tools

Alternately you can create a key using the OpenSSH commandline tool ssh-keygen.

However, doing this on various platforms, has turned into a nice little mess. First, the ssh-keygen tool that comes with macOS does not support FIDO2 keys. This means that you will need a special build (either from ZOC or from a Homebrew build of OpenSSH). Secondly, under Windows, the whole FIDO2 (Windows Hello) system, does not support some of the functions that are required to properly run ssh-keygen. Thirdly, the Microsoft implementation of ssh-keygen tried to work around some of these limitation is a half-baked way, which may create some unexpected results.

Hoever, ZOC offers a ssh-keygen version that tries to work around the Windows-Hello limitations in a more consistent way. Under Windows use C:\Program Files\ZOC9\zoc-ssh-keygen.exe On macOS, the tool can be found in /Applications/zoc9.app/Contents/MacOS/zoc-ssh-keygen.

The equivalent of a key generated by ZOC Terminal via Tools→Generate SSH Public/Private Key is the following command:
Windows: "C:\Program Files\ZOC9\zoc-ssh-keygen.exe" -t ecdsa-sk -O application=ssh:zoc macOS: /Applications/zoc9.app/Contents/MacOS/zoc-ssh-keygen -t ecdsa-sk -O application=ssh:zoc

You can also apply additional parameters:

• -O verify-required (using the key will require entry of the PIN)
• -O user=<username> (supply an username associated with the key, instead of the "openssh" default)
• -O resident (create a key that resides on and can be recreated from the token)
• -C "Your Comment" (add a comment to the public key file)

Prepare the Linux Account to Accept the Key as Authentication

Copy the Public-Key to the Clipboard

• From ZOC Terminal's Tools-menu choose Copy SSH Public-Key to Clipboard
• Choose the id_ecdsa_sk.pub file (not the one without the .pub file type) and click Open
• Click Close on the message that shows the public key

Add the Public-Key to the Account

The next step depends on who creates your Linux account:

If you have a service provider who creates the account for you and who asked for your public key, simply send or email him the public key data that you copied to the clipboard.

If you already have access to your Linux shell account via password authentication, login to the account and enter the following command:

echo xxxxxxxxxx >> ~/.ssh/authorized_keys
(instead of xxxxx, choose Edit-menu→Paste to paste the public key, which you put to the clipboard in the last step, into the command)

Logging Into Your Linux Server Using Public/Private Key

• Start ZOC and select File-menu → Quick-Connect (or use this window if it automatically opens after starting ZOC)
• Enter or select the following values:
  • Connect-To: (paste your servers's name or ip address)
  • Connection-Type: Secure Shell
  • Emulation: xterm
  • Username: (your username)
  • click on Select Key... and Private Key and choose the id_ecdsa_sk file (this time use the one without the .pub extension, i.e. not the id_ecdsa-sk.pub file)
• Click Connect

We Did It, Yay!

If you created the private key using a passphrase, a window will pop up to ask you for that. Also, depending on the key, a window may also pop up or a message may appear on your screen, that will ask you to enter the PIN and physcially touch your key.

After a moment should see a connection screen that shows the connection proceeding and eventually you will see the familiar $-prompt.

Now you are logged into the Linux using your public/private key pair.

Why ZOC Terminal is a Better Alternative for these Tasks Compared to PuTTY

You can perform the above tasks with a free SSH client like PuTTY as well.

However, while PuTTY is a reasonable choice for to access Linux shells every now and then, ZOC Terminal is designed for ease of use and effectiveness day in and day out. It offers elegant features that save you a lot time when performing routine tasks.

For example, as you saw, creating the key-pair and obtaining the public key takes only a matter of seconds (about 10 mouse clicks).

Connecting to your Linux system through the Quick Connect window is also very easy. If you log off and then realize you forgot something and want to connect again, you can simply press Alt+R in the disconnected tab. Alternatively, go to the Quick Connection window again and click Connect, so you are reconnected with just two mouse clicks.

For file uploads, you can upload files to your server merely by dragging them from the desktop into the ZOC terminal area.

If you are building multiple instances, you can save them from the Quick Connection window to the Host Directory. From there, you can even connect to multiple instances at once (each will then open in a separate tab).

Assume you need to update or install a package on five servers: Open the Host Directory, select the servers using shift+Mouseclick and click Connect. Then press Alt+C to open the Local Typing window. Type your command (e.g., sudo apt update && sudo apt install -y build-essential ), click Send to all tabs, press Enter and you have easily performed this task in under a minute. Press Shift+Esc to watch the parallel output in the Thumbnails overview. Below is a 60-second video which shows how it works and which also shows a few other functions because after updating 5 servers. Within those 60 seconds there was even time left to show file uploads and tab colors ;-).

These are just a few examples that demonstrate how using a professional ssh client like ZOC can save valuable time compared to free tools like PuTTY (which admittedly does cover the essentials quite well).

Conclusion: Using ZOC Terminal to performe routine terminal tasks with ease saves time and it also is more fun!