Log in to Compute Instances Using the Akamai MFA FIDO2 Authenticator and the Krypton akr SSH Agent

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.
Akamai Krypton akr SSH agent is currently in beta. As such, you may encounter issues or experience behavior that’s different than what is detailed in this guide.

Password authentication has long been a common target of brute-force attacks by malicious actors. The most common alternative to passwords is using key pair authentication. While this is more secure, private keys are stored in a user’s local machine and can be stolen by attackers that gain access to that machine. FIDO2 authentication methods overcome this by combining key pair authentication with a hardware or mobile app security challenge. This guide walks you through using the Akamai MFA mobile app, the Akamai Krypton akr SSH agent, and the Cloud Manager to securely connect to your remote Compute Instances through SSH.


Launched in 2013, the FIDO Alliance set out to develop stronger authentication; FIDO2 is the latest version of the standard. FIDO2 authentication is based on private/public key cryptography, does not depend on shared secrets, and ensures that the authentication challenge follows the same path as the request. Using the FIDO2 standard, the likelihood of successful system access with stolen keys or passwords is reduced significantly. FIDO2, in its native forms, is optimized for browser based accesses, but with recent changes to OpenSSH, FIDO2 can now be used to protect SSH logins. The additional benefit of using FIDO2 with SSH is that your private key is no longer stored on your local machine.

Linode’s Cloud Manager recently extended the support of SSH key types for account-wide remote access. Now, users can import SSH keys generated by mobile applications based on the FIDO2 standard. When a new instance is deployed, the FIDO2-generated SSH keys are stored in the server and are available to authenticate users. This enhancement allows users to use an innovative FIDO2 authenticator that is at the core of Akamai MFA.

Akamai MFA is a full-service MFA solution for the workforce, featuring a phishing-proof FIDO2 authentication factor. However, the full Akamai MFA service is not required in order to support MFA for your Compute Instances. Rather, you only need the free Akamai MFA mobile app and Akamai’s Krypton akr SSH agent. Krypton is an SSH agent that cooperates with the Akamai MFA mobile app to perform FIDO2-based authentication. Akamai akr serves as a bridge between your local machine and the Akamai MFA mobile app on your phone, while the Akamai MFA mobile app turns your phone into a FIDO2 authenticator. The FIDO2 private key that serves as your credential is securely stored on your phone (and never leaves the phone) while the actual challenge is presented to you as a phone notification.

Before You Begin

  • Install the Akamai MFA mobile app on your phone or tablet using the Google Play Store (for Android) or the App Store (for iOS).

  • Verify you are running a supported operating system, which includes macOS 10.15+, Debian 11+, Ubuntu 20.04+, AlmaLinux 9, and Rocky Linux 9. Older versions of some Linux distributions may work if the OpenSSH package is upgraded to match the version requirement listed below. Upgrading OpenSSH is outside the scope of this guide.

  • Both your local and remote systems must use OpenSSH 8.2+. The Akamai akr tool generates keys using the ECDSA algorithm with 256-bit strength and outputs them in the sk-ecdsa-sha2-nistp256 format. Due to this, both the local system and any remote systems that use the public key must have OpenSSH 8.2 (or greater) installed. To check your OpenSSH version, run:

    ssh -V

Installation Instructions

Instructions on installing the akr tool (which includes Akamai’s Krypton SSH Agent) to your system. For additional installation help, review the official instructions on Akamai’s documentation site.

To start using FIDO2 authentication with Akamai akr, macOS users can install the agent with Homebrew.

  1. The OpenSSH version included on macOS Ventura (and earlier releases) does not support the necessary security keys features. To overcome this, install OpenSSH through Homebrew and update your PATH variable so that this new version is used instead of the default macOS version.

    brew install openssh
    export PATH=$(brew --prefix openssh)/bin:$PATH
  2. Install akr and pinentry-mac through Homebrew.

    brew install akamai/mfa/akr pinentry-mac
  1. Install GnuPG if you are using Debian. Ubuntu distributions should have this tool already installed.

    sudo apt update
    sudo apt install gnupg
  2. Download the Akamai AKR key file and add it to the /usr/share/keyrings/ directory.

    curl -fsSL https://akamai.github.io/akr-pkg/ubuntu/KEY.gpg | gpg --dearmor | sudo tee /usr/share/keyrings/akr.gpg > /dev/null
  3. Add the Akamai AKR repository.

    echo "deb [signed-by=/usr/share/keyrings/akr.gpg] https://akamai.github.io/akr-pkg/ubuntu ./" | sudo tee /etc/apt/sources.list.d/akr.list
  4. Install the akr and pinentry-tty packages.

    sudo apt update
    sudo apt install akr pinentry-tty
  1. Create a repo file for the akr package repo.

    sudo vim /etc/yum.repos.d/akr.repo
  2. Add the following contents to that file:

    File: /etc/yum.repos.d/akr.repo
    name=akr repository
  3. Install the akr package along with pinentry.

    sudo dnf -y install akr pinentry
You can also build the application with Rust from the repository. First ensure that Rust (https://rustup.rs) is installed, then run cargo build to build the application locally.

Usage Instructions

This section configures the Akamai akr (Krypton) SSH agent that interfaces with the Akamai MFA mobile app. By default, this SSH agent is used for new SSH connections. If you wish to continue using your current SSH agent, additional configuration is required. See Additional SSH Configuration.

When you have Akamai akr installed, you can follow the steps outlined here to set up the agent and pair it with the mobile device.

  1. Write the SSH configuration and initiate the agent.

    akr setup

    This command attempts to write to the SSH client configuration file in the path ~/.ssh/config. If this file doesn’t exist, you will receive a file IO error that indicates the file can’t be found. To overcome this, create the file manually using the command below and then rerun akr setup:

    mkdir -p ~/.ssh/ && touch ~/.ssh/config
  2. Run the pair command, which generates a QR code.

    akr pair
  3. Scan the generated QR code with the Akamai MFA Authenticator app to pair the device and the akr agent.

  4. Generate an SSH key pair in Akamai MFA with the generate command, being sure to provide your own key name.

    akr generate --name <key name>
  5. An SSH key is generated using the sk-ecdsa-sha2-nistp256 format. Retain this public key so you can install it on any systems you wish to access through Akamai MFA.

Log In To a New Compute Instance with the FIDO2 SSH Key

Now that your mobile device has been paired and your Akamai-compatible FIDO2 SSH Key has been generated, you can configure your remote systems to use the new key. This section covers adding the SSH key to your Linode account and installing it on a new Compute Instance.

  1. Add the SSH key to your Linode user account, which enables you to automatically install it on new Compute Instances. For more detailed instructions on adding an SSH key to your account, see Manage SSH Keys.

    1. In Cloud Manager, click on your username in the top right to open the settings menu, and choose SSH Keys.

    2. Click the Add An SSH Key button to open the Add SSH Key form.

    3. Enter a label for this SSH key and, in the SSH Public Key field, paste in the FIDO2 SSH key you generated during a previous step.

    4. Click the Add Key button to store the key on your user account.

    Run the command below, replacing [public-key] with the SSH key that was generated by the akr tool.

    linode-cli sshkeys create \
      --label "Akamai akr SSH Key" \
      --ssh_key "[public-key]"

    For more details, review the CLI request sample on the SSH Key Add API reference.

    Perform the API request below, replacing [public-key] with the SSH key that was generated by the akr tool.

    curl -H "Content-Type: application/json" \
        -H "Authorization: Bearer $TOKEN" \
        -X POST -d '{
            "label": "Akamai akr SSH Key",
            "ssh_key": "[public-key]"
        }' \

    For more details, review the shell request sample on the SSH Key Add API reference.

  2. Create a new Compute Instance, making sure to select your user under SSH Keys. See Create a Compute Instance for full instructions.

  3. When the Compute Instance has finished provisioning and is in a running state, you can connect to it via SSH. After the host public key fingerprint is validated, you’ll receive a push-based prompt on your phone to verify the connection attempt. Once the connect request is approved, you should be successfully logged in to the remote system.

You can also use your FIDO2 SSH key on existing Compute Instances or other Linux systems. See the Using SSH Public Key Authentication on Linux, macOS, and Windows guide for instructions on copying your SSH key from a macOS, Linux, or Windows desktop.

Additional SSH Configuration

When akr is initially configured, the akr (Krypton) becomes the default SSH agent used for SSH connections. This behavior may not be desired for several reasons, including that akr is a beta product and you may have workflows that depend on other SSH agents. If you do not wish to use Akamai’s SSH agent by default, adjust your SSH configuration file by following the instructions below.

  1. Edit your user’s SSH configuration file using your preferred text editor.

    nano ~/.ssh/config
  2. Locate the lines added by Akamai. By default, the lines should match the following (where [user] is your user’s home directory).

    File: ~/.ssh/config
    # Begin Akamai MFA SSH Config
    Host *
      IdentityAgent /Users/[user]/.akr/akr-ssh-agent.sock
    # End Akamai MFA SSH Config

    The Host keyword is used to identify the hosts while the inner IdentityAgent line tells the system which SSH agent should be used for those hosts. In this default configuration, the akr (Krypton) SSH agent is used for all new connections.

  3. Adjust the Host parameter. Replace the asterisks (*) with the specific host names or IP addresses of the systems you’d like to log in to using akr and Akamai MFA (delimited by a space character).

This page was originally published on

Your Feedback Is Important

Let us know if this guide was helpful to you.

Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.
The Disqus commenting system for Linode Docs requires the acceptance of Functional Cookies, which allow us to analyze site usage so we can measure and improve performance. To view and create comments for this article, please update your Cookie Preferences on this website and refresh this web page. Please note: You must have JavaScript enabled in your browser.