The akr command line utility is an SSH Agent which works with the Akamai MFA authenticator apps for iOS and Android. Akr enables your mobile device to perform SSH authentication using a FIDO2 key generated by the Akamai MFA app.
akr runs as an SSH agent: when you run ssh [user@server], SSH asks the agent for a FIDO2 private key signature
operation. This request is routed to a
paired mobile phone (running the Akamai MFA app), where the user decides whether to allow the operation or
not. If allowed, the phone simply sends the signature back to the agent. Private keys never leaves the phone.
⚠️ akris currently in early-preview mode! Please contact us with any issues you find or feature suggestions.
- First, run
akr setupto create configurations and start the agent - Next, pair your device: run
akr pair - Scan the QR code with the Akamai MFA app
- Run
akr generate --name mykeyto generate your first SSH key in Akamai MFA. This will output your SSH public key. - Add your public key to a server or
github.com - You're all set!
Usage:
akr [options] [command] [arguments]
Options:
| Syntax | Description |
|---|---|
| -V, --version | Display the version number for the akr client. |
| -h, --help | Display usage information for akr client. |
Commands:
| Command | Description | Example |
|---|---|---|
| setup | Setup the background daemon and updates ssh configuration | akr setup --ssh-config-path <ssh_config_file_path> |
| pair | Pair with your phone/tablet | akr pair |
| generate | Generate a new SSH credential | akr generate --name <ssh_credential_name> |
| unpair | Unpair from your phone/tablet | akr unpair |
| load | Load public keys from the Akamai MFA app on your phone/tablet | akr load |
| status | Get pairing info from your phone/tablet | akr status |
| check | Health check of all the dep systems and system configs | akr check |
- macOS (10.15+) or Linux (64 Bit) (Debian, RHEL, and CentOS).
- OpenSSH Client and Server 8.2+
- pinentry
brew install akamai/mfa/akr
brew install pinentry-maccurl -SsL https://akamai.github.io/akr-pkg/ubuntu/KEY.gpg | sudo apt-key add -
sudo curl -SsL -o /etc/apt/sources.list.d/akr.list https://akamai.github.io/akr-pkg/ubuntu/akr.list
sudo apt update
sudo apt install akr
sudo apt install pinentry-ttysudo vim /etc/yum.repos.d/akr.repo
[akr]
name=akr repository
baseurl=https://akamai.github.io/akr-pkg/rpm/
gpgcheck=0
enabled=1sudo yum -y updatesudo yum -y install akr
sudo yum -y install pinentry-gtksudo vim /etc/yum.repos.d/akr.repo
[akr]
name=akr repository
baseurl=https://akamai.github.io/akr-pkg/rpm-9/
gpgcheck=0
enabled=1sudo yum -y updatesudo yum -y install akr
sudo yum -y install pinentry-gtkakr is built entirely with Rust. Ensure you have Rust installed (https://rustup.rs) and run cargo build.
Running akr setup updates your SSH config file and installs the akr ssh-agent as a background service on your system.
To see what akr configures, run akr setup --print-only.
The SSH config additions looks as follows:
# Begin Akamai MFA SSH Config
Host *
IdentityAgent /Users/<username>/.akr/akr-ssh-agent.sock
# End Akamai MFA SSH Config
This enables your native system SSH to communicate to the akr ssh-agent process over a unix socket.
- You can also use your existing local RSA, ECDSA, ED25519 keys with akr as well. When you run
akr setup, any existing local keys directly inside ~/.ssh folder gets loaded into the ssh-agent. - If you have an ECDSA key, please make sure the private key is in PEM format.
For any security related questions, please contact our security team. Please disclose any issues responsibly using our Akamai Security GPG Public Key and send communications to [email protected].
Copyright (c) 2021, Akamai Technologies. All rights reserved.