Krypton akr FIDO2 SSH Agent (beta)
The akr
command-line utility consists of the Akamai MFA Krypton SSH Agent which works exclusively with the Akamai MFA FIDO2 authenticator to provide you with strong, cryptographic authentication for your SSH flows. This is an alternative for the Akamai MFA Unix PAM integration that provides you with additional security for your SSH logins.
To get your akr
FIDO2 SSH Agent up and running, you must download and install the Akamai MFA app on your smartphone. To turn your mobile device into a push-based SSH FIDO2 authenticator, you must pair the app with the locally running SSH agent.
Upon completed registration, you receive signature requests on your mobile device each time you attempt using SSH.
This section refers to a feature that is in beta. It shall not be construed as providing any representation or guarantee as to the matters discussed, as such features may have bugs or other issues. Akamai assumes no obligation to update or correct any matters discussed in this section.
Prerequisites
To enable the akr
utility, you have to:
- Run the following systems on your desktop machine:
- macOS (10.15+) or Linux (64 Bit) (Debian, RHEL, and CentOS)
- OpenSSH Client and Server 8.2+
- On your mobile device, download and install the Akamai MFA mobile app. To download the app, go to the App Store for iPhones or Google Play Store for Androids.
Get Started
To set up your SSH FIDO2 keys, follow these steps:
-
On your desktop machine, launch the terminal.
-
Start the
akr
SSH agent and set up your ssh config file:- On macOs, run
akr setup
. - On Linux, or if your
ssh config
file is not in/etc/ssh/ssh_config
location, you may need to specify the file path. In this case, run this command:akr setup --ssh-config-path <file path>
.
- On macOs, run
Running
akr setup
updates yourssh config
file and installs theakr
SSH Agent as a background service on your system. To check theakr
configurations, run this command:
akr setup --print-only
.The SSH config additions looks as follows:
#Begin MFA SSH Config
Host *
IdentityAgent /Users/<username>/ .akr/akr-ssh-agent.sock
#End MFA SSH Config
This enables your native system SSH to communicate to the akr ssh agent
process over a Unix socket.
-
Run
akr pair
.
The QR code displays. -
Scan the QR code using the Akamai MFA app on your mobile device.
A success message displays confirming that your mobile device was successfully paired with the SSH agent. -
To generate your first SSH FIDO2 key pair, run
akr generate --name mykey
, where you have to replacename
with your last name, andmykey
with your key credential name.
You receive a push notification on your mobile device. -
In the Register Device push notification, tap Allow to confirm.
This generates your SSH FIDO2 key pair that will be stored on your trusted mobile device. -
Add your public key to the server or github.com.
-
To verify whether your Akamai MFA FIDO2 key works, try the following:
$ ssh ssh.demo.krypt.co -p 5000
You receive a push notification on your trusted mobile device. -
In Login Request, tap Allow to log in.
If your SSH FIDO2 keys are working correctly, you should see something like this:
Hello!
You have successfully authenticated to the SSH FIDO2 server!
If you have more desktop devices running
akr
SSH agent that you want to pair with your trusted mobile device, for each computer install theakr
utility and follow the above steps.
- To unpair your mobile device, run
akr unpair
.
Install or update your akr
FIDO2 SSH Agent
akr
FIDO2 SSH Agent-
To build from source code:
- Install Rust.
- Run
cargo build
.
-
To install with Homebrew on macOS 10.15.5:
As running OpenSSH 8.2+ is required to use the
akr
FIDO2 SSH agent, you have to first check your OpenSSH version and upgrade if necessary.- To check your SSH version run
# ssh -V
. - If your SSH version is 8.1 or lower, install OpenSSH by running
# brew install openssh
. - Reload the shell by running
# exec $SHELL -l
. - Check the OpenSSH version by running
# ssh -V
. - To install
akr
FIDO2 SSH agent, runbrew install akamai/mfa/akr
.
Check Homebrew for system requirements and read the installation guide.
- To check your SSH version run
-
For Debian distribution, follow these steps:
- To configure your private Akamai MFA
akr
package repository for the APT Package Manager, run these commands:
curl -SsL https://akamai.github.io/akr-pkg/debian/KEY.gpg | sudo apt-key add -
sudo curl -SsL -o /etc/apt/sources.list.d/akr.list https://akamai.github.io/akr-pkg/debian/akr.list
ii. To install the
akr
package, runsudo apt update
.iii. To update the
akr
package, runsudo apt install akr
. - To configure your private Akamai MFA
-
For CentOS/RHEL distributions, follow these steps:
-
Edit the file
/etc/yum.repos.d/akr.repo
, for example runsudo vim /etc/yum.repos.d/akr.repo
. -
Add these lines to your file:
[akr]
name=akr repository
baseurl=https://akamai.github.io/akr-pkg/rpm/
gpgcheck=0
enabled=1
iii. To install the
akr
package, runsudo yum -y install akr
.iv. To update the
akr
package, runsudo yum -y update
. -
To learn more about the akr
installation steps, see akr readme in github.
Updated about 1 year ago