Introduction
In AIX environments, SSH is one of the secure methods for shell access, as legacy protocol like Telnet is disabled by default for security reasons. Traditionally, authentication has relied on password-based or certificate-based mechanisms. However, with the growing sophistication of cyberattacks, relying on single-factor authentication is no longer sufficient. This has led to the adoption of Multi-Factor Authentication (MFA), which combines multiple layers of security, such as something you know (password) and something you have (a hardware security key like YubiKey).
To enable MFA in AIX, a YubiKey device (e.g., Yubico 5C NFC) is required for performing secure authentication. While AIX does not natively support FIDO authentication, recent enhancements now make it possible to integrate U2F/FIDO2 security keys into the OpenSSH server. This is achieved by configuring ed25519-sk/ ecdsa-sk keys as part of the public key authentication process.
FIDO key support for ssh server is introduced from AIX 7.3 TL4, which has the OpenSSH version 9.9.3015.2000. This version is the minimum requirement.
What is YubiKey?
A YubiKey is a hardware-based security device that supports multiple authentication protocols, including FIDO2, U2F (Universal 2nd Factor), OTP (One-Time Password), Smart Card (PIV), and OpenPGP. Its primary purpose is to provide multi-factor authentication (MFA) for securing access to applications, websites, systems, and services.
The key advantage of YubiKey is that an attacker cannot gain access even if they have your credentials. Physical possession of the device is required to complete authentication.
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is a security mechanism that requires more than one form of verification to authenticate a user. Typically, MFA is a combination of:
1. Something we know - A password or PIN.
2. Something we have - A hardware token like a YubiKey or a mobile device (for time-based one-time passwords (TOTP) or push notifications).
3. Something we are - Biometric authentication, such as fingerprints or facial recognition.
MFA significantly increases the security of the authentication process. Even if an attacker compromises one factor (like a password), the attack is not possible due to missing other required factors.
The YubiKey device primarily acts as a "something we have" factor in MFA. It uses public-key cryptography and can work with a wide range of authentication protocols such as:
- FIDO2: Allows password-less authentication, where the YubiKey serves as the authentication device that proves our identity.
- U2F: Adds an extra layer of security by requiring a YubiKey to authenticate with a second factor during login (typically alongside a password).
- One-Time Password (OTP): The YubiKey can generate a time-based one-time password for logging into accounts.
- Smart Card (PIV): The YubiKey can act as a smart card, where it holds digital certificates used for encryption, signing, and authentication.
FIDO Authentication with YubiKey
FIDO (Fast Identity Online) is a set of open standards for password-less authentication, which aims to reduce the reliance on traditional passwords while providing a more secure way to authenticate users. FIDO uses public-key cryptography to authenticate a user without transmitting sensitive information over the network.
There are two major versions of FIDO:
1. FIDO U2F (Universal 2nd Factor): This is the original FIDO standard, which is used in conjunction with a password. When we log into an online service, we provide our password (first factor), and then we are prompted to insert our YubiKey (second factor). The YubiKey generates a cryptographic signature that proves we're the legitimate user.
2. FIDO2: This is a newer standard that provides password-less authentication. FIDO2 involves a combination of WebAuthn (Web Authentication API) and CTAP (Client-to-Authenticator Protocol). FIDO2 enables users to log into services using their YubiKey without needing a password at all. The YubiKey will handle both authentication and the storage of cryptographic keys.
Before using a YubiKey for FIDO authentication, it must be registered first. The process generally involves two stages:
- The user registers the YubiKey device with services like website or SSH server, which generates a cryptographic public/private key pair.
- The private key stays securely on the YubiKey, while the public key is saved on the server.
- The FIDO protocol ensures that the private key never leaves the device and that authentication requires physical access to the YubiKey.
- When logging in, the service sends a challenge to the YubiKey.
- The YubiKey signs the challenge using its private key and returns the signed response.
- The server verifies the response with the stored public key. If the verification succeeds, authentication is complete and the user is granted access.
Implementing Multi-Factor Authentication (MFA) on AIX with YubiKey
In this demonstration, we’ll walk you through how to enable Multi Factor Authentication (MFA) on an AIX system using one of the popular hardware security keys, the YubiKey 5C NFC from Yubico.
The goal is to configure AIX as the SSH server that supports FIDO U2F authentication, while the SSH client can be any non-AIX system. For our example, we’re using a desktop PC/Laptop as the SSH client.
To make the YubiKey functional on the client side, you’ll need to install YubiKey Manager or the ykman tool. These tools allow you to manage and configure the YubiKey device for authentication purposes.
This setup provides an additional layer of security beyond passwords, leveraging strong hardware-based authentication for SSH access to AIX.
1. Register YubiKey on SSH client (Mac partition)
Steps to enable FIDO U2F authentication on the SSH client (Mac):
- Install YubiKey Manager: Insert YubiKey into the laptop & install YubiKey Manager from Yubico’s official website:
https://www.yubico.com/support/download/yubikey-manager/.
We have used the below YubiKey device for our testing:
- Set FIDO2 PIN: Configure the PIN via the Applications tab in YubiKey Manager.
- Generate ed25519-sk Key: Ensure OpenSSH version on the ssh client partition (mac) is 8.2 or higher. With YubiKey inserted in the USB type-C port, use the ssh-keygen command to create a new ed25519-sk key pair. This will store the private key securely on the YubiKey and create a corresponding public key.
# brew install openssh
# brew install libfido2
# ssh-keygen -t ed25519-sk -O resident -O verify-required -f ~/.ssh/id_ed25519_sk
-
-
- -O resident: Stores the key on the YubiKey for portability across systems.
- -O verify-required: Requires physical touch on the YubiKey for every use, adding extra security.
During key generation, you’ll be requested for the FIDO2 PIN and prompted to touch the YubiKey, ensuring secure key creation.
Once the YubiKey device is set up & the key pair is generated, SSH client has to be configured to use FIDO U2F authentication.
Edit “~/.ssh/config” file to include FIDO U2F keys support.
Host <hostname>
User <user_name>
IdentityFile ~/.ssh/id_ed25519_sk
PubkeyAcceptedKeyTypes +sk-ssh-ed25519@openssh.com
2. Enable FIDO U2F authentication on AIX OpenSSH Server
- Add Public Key: Copy the public key generated on the client to user’s authorized_keys file. Here, we are considering that ssh client is attempting to login as root user, hence we need to update the ~/.ssh/authorized_keys on the AIX server. This step ensures that the AIX server is configured to recognize YubiKey’s public key for authentication.
- Update SSH Server Configuration: Edit SSH server configuration file (/etc/ssh/sshd_config) and add:
# Enable security key authentication
AuthenticationMethods password,publickey
# Enforce User Verification
PubkeyAuthOptions verify-required
This enforces MFA: first password, then FIDO2 PIN, followed by physical confirmation on the YubiKey.
- Restart SSH Daemon: Apply changes by restarting SSH service.
# stopsrc -s sshd
# startsrc -s sshd
Login Experience:
Once the above configuration is done, initiate SSH:
# ssh root@aixserver
The SSH client will prompt for:
1. Password
2. FIDO2 PIN
3. Physical touch on the YubiKey
This completes MFA and ensures secure access.
Here is an example of FIDO U2F authentication:
# tail -6 /etc/ssh/sshd_config
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
AuthenticationMethods password,publickey
PubkeyAuthOptions verify-required
% ssh root@aixsystem
root@aixsystem's password:
Confirm user presence for key ED25519-SK SHA256:m7ssdN/xi3LYmJnHj853zapCxcnpNjLnqpbUW7y6AGk
Enter PIN for ED25519-SK key /Users/username/.ssh/id_ed25519_sk:
Confirm user presence for key ED25519-SK SHA256:m7ssdN/xi3LYmJnHj853zapCxcnpNjLnqpbUW7y6AGk
User presence confirmed
Last unsuccessful login: Thu May 22 05:35:05 CDT 2025 on ssh from 127.0.0.1
Last login: Thu May 22 05:35:10 CDT 2025 on /dev/pts/0 from 127.0.0.1
*******************************************************************************
* *
* *
* Welcome to AIX Version 7.3! *
* *
* *
* Please see the README file in /usr/lpp/bos for information pertinent to *
* this release of the AIX Operating System. *
* *
* *
*******************************************************************************
[YOU HAVE NEW MAIL]
#
Advantages of enabling FIDO authentication in OpenSSH
- Stronger Authentication: By using public-key cryptography and physical hardware, YubiKey provides a high level of protection against phishing, man-in-the-middle attacks, and credential theft.
- Phishing Resistance: The authentication process is highly resistant to phishing, as the private key is stored securely on the YubiKey and cannot be intercepted or stolen during transmission.
- Multi-Factor Authentication (MFA): By requiring both something we know (e.g., password) and something we have (the YubiKey), SSH login becomes more secure.
- Compatibility: YubiKey is compatible with many services and protocols, not just OpenSSH. This makes it a versatile solution for MFA across many platforms (websites, VPNs, applications).
References
Documents from YubiKey device manufacturer: