From OpenSSH 8.2 release it supports authentication using FIDO/U2F. These tokens are required to implement the ECDSA-P256 "ecdsa-sk" key type, but some (say Yubikey) also supports Ed25519 (ed25519-sk) keys. In this example I am using a Yubikey 5.
I am going to generate a non-discoverable key on the card itself. Means along with the card, we will also have a key on disk, and one will need both to authenticate. If someone steals you Yubikey, they will not be able to login just via that.
✦ ❯ ssh-keygen -t ed25519-sk -f .ssh/id_ed25519_sk Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in .ssh/id_ed25519_sk Your public key has been saved in .ssh/id_ed25519_sk.pub The key fingerprint is: SHA256:CoQKA0blJ8A1xOwri167mIDb7rHxr59TYwI25ChOZ4Y email@example.com The key's randomart image is: +[ED25519-SK 256]-+ |++*= | |o.o+o | |o +*.. | |oE.*B | |+.+.oo S | |.o . ...+ | |+ =. .+ . | |o++=. .. | |o*=o+++. | +----[SHA256]-----+
Here we passed the type of the key using
-t flag and saving the private key
-f. I pasted the public key in the server's
file, and then also configured the ssh client on my laptop to use that
specified key via the
Host kushaldas.in HostName kushaldas.in User kushal IdentityFile ~/.ssh/id_ed25519_sk
Finally we can login via ssh.
✦ ❯ ssh kushaldas.in Enter passphrase for key '/home/kdas/.ssh/id_ed25519_sk': Confirm user presence for key ED25519-SK SHA256:CoQKA0blJ8A1xOwri167mIDb7rHxr59TYwI25ChOZ4Y User presence confirmed $
You will notice that after asking for the passphrase of the key,
asking to touch the Yubikey to confirm the user presence. You can read more in
If you miss to touch the Yubikey on time, you will get an error like:
sign_and_send_pubkey: signing failed for ED25519-SK "/home/kdas/.ssh/id_ed25519_sk": invalid format