Secure your SSH key with a FIDO2 Authenticator

Requirements

* For unknown reason, Win32-OpenSSH up to V8.9.1.0p1-Beta won’t function correctly without running in Admin Mode.

In this tutorial, I am using a YubiKey 5C NFC as my FIDO2 Authenticator

You may create your key pair with the steps below:

Connect your FIDO2 Authenticator
Run command in Terminal to generate a discoverable key
1
ssh-keygen -t [key-type] -O resident -O application=ssh:YourFancyKeyNameHere -O verify-required
[key-type] could be either ecdsa-sk or ed25519-sk

-O application=ssh:YourFancyKeyNameHere names the resident key (optional)

-O verify-required will require the PIN for the FIDO2 Authenticator when authenticating with the SSH key generated (optional)

Add -O no-touch-required then you don’t need to touch your Authenticator (therefore skipping the user presence check)
SSH will prompt for the PIN and verify the user presence correspondingly if needed
Your public and private key will be then generated. Rename the private key to id_ecdsa_sk or id_ed25519_sk to make sure your system picks it up automatically.

You may safely carry your key pairs in your FIDO2 Authenticator to other devices.

On a new local machine, use steps below to setup key pairs:

Export key pair from FIDO2 Authenticator
1
ssh-keygen -K
SSH will prompt for PIN and/or user presence. Pay attention to your authenticator as on some systems there might be no literal indication when user presence is required.
Rename the private key to id_ecdsa_sk or id_ed25519_sk to make sure your system picks it up automatically.

There’s no difference from how you do it on other key types. Just append your public key to the end of ~/.ssh/authorized_keys, start on a new line.

With this you can securely install your private key on a untrusted system. And the exportable key feature makes it easier to carry your keys.

Download and install ykman.

1 2	./ykman fido credentials list # list all resident keys ./ykman fido credentials delete ABCDEFGHIJKLMN # delete key identified by ABCDEFGHIJKLMN