Saturday July 31 2021
Rotating my SSH keys the other day I stumbled upon the
ed25519-sk type, which
I hadn’t seen before, checked the
page and sure enough there it was
referencing support for FIDO authenticators.
On OpenBSD, I was able to just plug in my ( now quite old ) YubiKey, it only supports FIDO U2F and have this work out of the box.
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ~/.ssh/id_ecdsa_sk Your public key has been saved in ~/.ssh/id_ecdsa_sk.pub The key fingerprint is: SHA256:3rbmWRGeHcLOkGSPYHbY+lgYV43V1iBxpdpjKitA+pk mitch@t495s The key's randomart image is: +-[ECDSA-SK 256]--+ | +o+.+=++o| | oo=o=.o..+| | =+ = o. | | . o .= B . | | o S+ B = | | . ..... + . | | . +. + o | | E ...* | | += | +----[SHA256]-----+ $
A quick tap of the hardware key and it finished generating the key. If you have
OpenSSH 8.2 or newer you should be able to add the key to your
~/.ssh/authorized_keys without any issue and have the machine pick up on it
This appears to work without much issue on most modern Linux distributions as
well. My Void Linux system only needed
openssh-sk-helper to be installed.
Ubuntu 20.04 worked out of the box.
Many popular Linux distributions in corporate environments such as CentOS and Debian are going to be shipping old patched versions of OpenSSH. As such these keys aren’t recognized by CentOS 7 or even the more recent CentOS 8. I imagine the same is true for their RHEL counterparts.
This should work with the inexpensive Solo Keys the Yubico security keys. As well as the Yubikey 5.