| I managed to make this work today as described in the article, after installing and configuring the software dependencies. Client-side hardware dependencies: * USB token with U2F (FIDO) support. FIDO2 is optional. Any old YubiKey or similar will work. * For the resident key feature only: USB token with FIDO2 support. * To avoid confusion, only a single USB token should be connected when ssh-keygen is run. (When ssh is run, multiple USB tokens work, the user can touch the wrong one many times, and authentication succeeds after the user touches the right one.) * ED25519 support in the token is optional. (`ssh-keygen -t ecdsa-sk ...' uses the NIST P-256 curve, which works with all U2F tokens.) Client-side software dependencies: * For communicating with the token over USB, OpenBSD or (Linux with udev). * OpenSSH 8.2p1 or later. * OpenSSH client (ssh) compiled with `configure --with-security-key-builtin'. Without this, eventually authentication will fail locally with `internal security key support not enabled'. It's possible to work around this by compiling an .so file and specifying it with `ssh -o SecurityKeyProvider=....so', but it's complicated. Server-side software dependencies: * OpenSSH 8.2p1 or later. * Default OpenSSH server (sshd) settings (without PubkeyAcceptedKeyTypes), or PubkeyAcceptedKeyTypes in /etc/ssh/sshd_config containing sk-ecdsa-sha2-nistp256@openssh.com and (optionally, for ed25519-sk keys) sk-ssh-ed25519@openssh.com . |
Also, if it doesn't work on your client system only because OpenSSH 8.2 was compiled without `configure --with-security-key-builtin', here is how to make it work: https://github.com/pts/external-sk-libfido2