Using LogonBox Authenticator Credentials as SSH Keys

Introduction

The LogonBox Authenticator is a mobile 2FA authentication app developed by our sister company LogonBox Limited. The authenticator provides a set of public-key credentials for logging into LogonBox services such as the Self-Service Password Reset, VPN or Cloud Directory appliances. 

When combined with the Desktop SSH Agent, the LogonBox SSPR and LogonBox Directory products can also operate as Key Servers, allowing you to log in to SSH servers using the LogonBox credentials stored on your mobile phone.

The LogonBox credentials utilise ED25519 private keys for authentication, and for SSH support, an RSA key is also made available to ensure support for legacy SSH services.

With this unique setup, your keys remain secure on your mobile device and are usable across multiple devices. All that is required is a Desktop SSH Agent on each device configured to use the same LogonBox key server. 

Configuration

To configure your LogonBox server in the Desktop SSH Agent, open the preferences and select the Authenticator tab. Enter the hostname, port and email address you have registered with LogonBox.

Click Save to commit the changes.

Now open up your private key listing to see your LogonBox credentials.

Using the Keys

To get the public key entries so you can configure your authorized_keys file. Open a browser and enter the following URL to your LogonBox server https://<hostname>/authorizedKeys/<email>

This will output the lines you need to add to your authorized_keys file on your SSH servers.

# Authorized keys for lee@logonbox.com
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAAYjUEkdsNvguoqrFohpl+x8YBv3ZBx0gk7Cw7Sx LogonBox Key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZcmgFhrz0BMEOYsQ8u3tY4iwliw2aMguCwsIsmvMMp/FSn7C Legacy RSA

Once you have configured your server’s authorized_keys file just use the Desktop SSH Agent to log into that server, either through the built-in terminal or your normal SSH client. If the client uses the agent to authenticate, it will pick up these keys and you will be prompted in your LogonBox Authenticator app to Authorize the login.

By Authorizing the request, you are allowing the app to sign the SSH authentication request and return the authentication data to the client via the Desktop Agent.

This mechanism relies on Push technology, however, if the push notificaiton does not arrive, you can swipe left on the credentials in the authenticator app and select Authorize to manually authorize the request.

It’s important to note here, that at no point are your private keys stored on any Jadaptive, or LogonBox server. The private keys are stored in private app storage on your mobile phone. The only thing shared with the servers is your email address, which allows lookup of the assosiated public keys of your credentials.

Register for your FREE LogonBox Directory Account

LogonBox are providing free personal accounts on the LogonBox Cloud Directory to users that want to use this without the hassle of setting up their own LogonBox server.

Download the Desktop SSH Agent from https://jadaptive.com/en/desktop-ssh-agent/download

Once installed, sign up for your free account at https://www.logonbox.com/content/authenticator/begin