Product docs and API reference are now on Akamai TechDocs.
Search product docs.
Search for “” in product docs.
Search API reference.
Search for “” in API reference.
Search Results
 results matching 
 results
No Results
Filters
Log in to Compute Instances Using the Akamai MFA FIDO2 Authenticator and the Krypton akr SSH Agent
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Password authentication has long been a common target of brute-force attacks by malicious actors. The most common alternative to passwords is using key pair authentication. While this is more secure, private keys are stored in a user’s local machine and can be stolen by attackers that gain access to that machine. FIDO2 authentication methods overcome this by combining key pair authentication with a hardware or mobile app security challenge. This guide walks you through using the Akamai MFA mobile app, the Akamai Krypton akr SSH agent , and the Cloud Manager to securely connect to your remote Compute Instances through SSH.
Overview
Launched in 2013, the FIDO Alliance set out to develop stronger authentication; FIDO2 is the latest version of the standard. FIDO2 authentication is based on private/public key cryptography, does not depend on shared secrets, and ensures that the authentication challenge follows the same path as the request. Using the FIDO2 standard, the likelihood of successful system access with stolen keys or passwords is reduced significantly. FIDO2, in its native forms, is optimized for browser based accesses, but with recent changes to OpenSSH, FIDO2 can now be used to protect SSH logins. The additional benefit of using FIDO2 with SSH is that your private key is no longer stored on your local machine.
Linode’s Cloud Manager recently extended the support of SSH key types for account-wide remote access. Now, users can import SSH keys generated by mobile applications based on the FIDO2 standard. When a new instance is deployed, the FIDO2-generated SSH keys are stored in the server and are available to authenticate users. This enhancement allows users to use an innovative FIDO2 authenticator that is at the core of Akamai MFA.
Akamai MFA is a full-service MFA solution for the workforce, featuring a phishing-proof FIDO2 authentication factor. However, the full Akamai MFA service is not required in order to support MFA for your Compute Instances. Rather, you only need the free Akamai MFA mobile app and Akamai’s Krypton akr SSH agent. Krypton is an SSH agent that cooperates with the Akamai MFA mobile app to perform FIDO2-based authentication. Akamai akr serves as a bridge between your local machine and the Akamai MFA mobile app on your phone, while the Akamai MFA mobile app turns your phone into a FIDO2 authenticator. The FIDO2 private key that serves as your credential is securely stored on your phone (and never leaves the phone) while the actual challenge is presented to you as a phone notification.
Before You Begin
Install the Akamai MFA mobile app on your phone or tablet using the Google Play Store (for Android) or the App Store (for iOS).
Verify you are running a supported operating system, which includes macOS 10.15+, Debian 11+, Ubuntu 20.04+, AlmaLinux 9, and Rocky Linux 9. Older versions of some Linux distributions may work if the OpenSSH package is upgraded to match the version requirement listed below. Upgrading OpenSSH is outside the scope of this guide.
Both your local and remote systems must use OpenSSH 8.2+. The Akamai akr tool generates keys using the ECDSA algorithm with 256-bit strength and outputs them in the
sk-ecdsa-sha2-nistp256
format. Due to this, both the local system and any remote systems that use the public key must have OpenSSH 8.2 (or greater) installed. To check your OpenSSH version, run:ssh -V
Installation Instructions
Instructions on installing the akr tool (which includes Akamai’s Krypton SSH Agent) to your system. For additional installation help, review the official instructions on Akamai’s documentation site.
To start using FIDO2 authentication with Akamai akr, macOS users can install the agent with Homebrew .
The OpenSSH version included on macOS Ventura (and earlier releases) does not support the necessary security keys features. To overcome this, install OpenSSH through Homebrew and update your PATH variable so that this new version is used instead of the default macOS version.
brew install openssh export PATH=$(brew --prefix openssh)/bin:$PATH
Install akr and
pinentry-mac
through Homebrew.brew install akamai/mfa/akr pinentry-mac
Install GnuPG if you are using Debian. Ubuntu distributions should have this tool already installed.
sudo apt update sudo apt install gnupg
Download the Akamai AKR key file and add it to the
/usr/share/keyrings/
directory.curl -fsSL https://akamai.github.io/akr-pkg/ubuntu/KEY.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/akr.gpg > /dev/null
Add the Akamai AKR repository.
echo "deb [signed-by=/usr/share/keyrings/akr.gpg] https://akamai.github.io/akr-pkg/ubuntu ./" | sudo tee /etc/apt/sources.list.d/akr.list
Install the
akr
andpinentry-tty
packages.sudo apt update sudo apt install akr pinentry-tty
Create a repo file for the akr package repo.
sudo vim /etc/yum.repos.d/akr.repo
Add the following contents to that file:
- File: /etc/yum.repos.d/akr.repo
1 2 3 4 5
[akr] name=akr repository baseurl=https://akamai.github.io/akr-pkg/rpm-9/ gpgcheck=0 enabled=1
Install the
akr
package along withpinentry
.sudo dnf -y install akr pinentry
cargo build
to build the application locally.Usage Instructions
When you have Akamai akr installed, you can follow the steps outlined here to set up the agent and pair it with the mobile device.
Write the SSH configuration and initiate the agent.
akr setup
Note This command attempts to write to the SSH client configuration file in the path
~/.ssh/config
. If this file doesn’t exist, you will receive a file IO error that indicates the file can’t be found. To overcome this, create the file manually using the command below and then rerunakr setup
:mkdir -p ~/.ssh/ && touch ~/.ssh/config
Run the pair command, which generates a QR code.
akr pair
Scan the generated QR code with the Akamai MFA Authenticator app to pair the device and the akr agent.
Generate an SSH key pair in Akamai MFA with the generate command, being sure to provide your own key name.
akr generate --name <key name>
An SSH key is generated using the
sk-ecdsa-sha2-nistp256
format. Retain this public key so you can install it on any systems you wish to access through Akamai MFA.
Log In To a New Compute Instance with the FIDO2 SSH Key
Now that your mobile device has been paired and your Akamai-compatible FIDO2 SSH Key has been generated, you can configure your remote systems to use the new key. This section covers adding the SSH key to your Linode account and installing it on a new Compute Instance.
Add the SSH key to your Linode user account, which enables you to automatically install it on new Compute Instances. For more detailed instructions on adding an SSH key to your account, see Manage SSH Keys .
In Cloud Manager , click on your username in the top right to open the settings menu, and choose SSH Keys.
Click the Add An SSH Key button to open the Add SSH Key form.
Enter a label for this SSH key and, in the SSH Public Key field, paste in the FIDO2 SSH key you generated during a previous step.
Click the Add Key button to store the key on your user account.
Run the command below, replacing [public-key] with the SSH key that was generated by the akr tool.
linode-cli sshkeys create \ --label "Akamai akr SSH Key" \ --ssh_key "[public-key]"
For more details, review the CLI request sample on the SSH Key Add API reference .
Perform the API request below, replacing [public-key] with the SSH key that was generated by the akr tool.
curl -H "Content-Type: application/json" \ -H "Authorization: Bearer $TOKEN" \ -X POST -d '{ "label": "Akamai akr SSH Key", "ssh_key": "[public-key]" }' \ https://api.linode.com/v4/profile/sshkeys
For more details, review the shell request sample on the SSH Key Add API reference .
Create a new Compute Instance, making sure to select your user under SSH Keys. See Create a Compute Instance for full instructions.
When the Compute Instance has finished provisioning and is in a running state, you can connect to it via SSH . After the host public key fingerprint is validated, you’ll receive a push-based prompt on your phone to verify the connection attempt. Once the connect request is approved, you should be successfully logged in to the remote system.
Additional SSH Configuration
When akr is initially configured, the akr (Krypton) becomes the default SSH agent used for SSH connections. This behavior may not be desired for several reasons, including that akr is a beta product and you may have workflows that depend on other SSH agents. If you do not wish to use Akamai’s SSH agent by default, adjust your SSH configuration file by following the instructions below.
Edit your user’s SSH configuration file using your preferred text editor.
nano ~/.ssh/config
Locate the lines added by Akamai. By default, the lines should match the following (where [user] is your user’s home directory).
- File: ~/.ssh/config
1 2 3 4
# Begin Akamai MFA SSH Config Host * IdentityAgent /Users/[user]/.akr/akr-ssh-agent.sock # End Akamai MFA SSH Config
The
Host
keyword is used to identify the hosts while the innerIdentityAgent
line tells the system which SSH agent should be used for those hosts. In this default configuration, the akr (Krypton) SSH agent is used for all new connections.Adjust the
Host
parameter. Replace the asterisks (*
) with the specific host names or IP addresses of the systems you’d like to log in to using akr and Akamai MFA (delimited by a space character).
This page was originally published on