Since about 2020 I’ve been happily using a pair of YubiKey 5C NFCs. It’s a nice security addition to have FIDO2 on some websites (unfortunately, some websites still don’t provide proper support).

In the meantime, I discovered that OpenSSH 8.2 introduced FIDO/U2F support. This basically means that you can now store your SSH private key inside your YubiKey (called resident key) and authenticate with it.

• the private key can’t be extracted from your YubiKey
• due to the previous point, you can’t have multiple YubiKeys with the same private key

⚠️ The private key can’t be extracted from your YubiKey. Meaning that you can’t share the same key with another device.

OK, with that in mind, let’s see how this all works. The process is really simple and shouldn’t take much time to finish.

🗒️ This is supposed to work with YubiKeys, your experience may be different with other FIDO keys.

Change your PIN

This is an important step, you should probably setup a PIN before anything. You can easily install the YubiKey Manager tool with Nix by running:

$ nix shell nixpkgs#yubikey-manager

Generate SSH Key

Considering that your YubiKey is still plugged, run the command below to create your private key and public key. Before you run it, you should consider two things first:

• doing it on an offline machine, probably using Tails
• creating a regular key and storing it somewhere safe and offline (in case you lose your YubiKeys)

Now that you thought about the previous points, you can run the command. 😜

$ ssh-keygen -t ed25519-sk -O resident

This will guide you through a regular SSH key generation where you can set where the public key will be saved and the private key’s password. After this step, you should have your public key on disk and you can add it to your OpenSSH authentication agent with:

$ ssh-add -K
# list your keys
$ ssh-add -L