SSH Key type
Today I noticed by coincidence that (recent versions of;
e.g. the one available on Fedora Silverblue 34)
ecdsa-sk) key types (
Never having seen these before, I wondered what they were for…
It is explained e.g. on https://security.stackexchange.com/questions/240991/what-is-the-sk-ending-for-ssh-key-types, and in the chapter “FIDO/U2F Support” on https://www.openssh.com/txt/release-8.2.
This is very nice, as it much simplifies the much too complicated old ways of using
gpg-agent to SSH with a YubiKey.
I tried generating such a new type of SSH key with my YubiKey. At first it failed:
$ ssh-keygen -t ed25519-sk Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Key enrollment failed: requested feature not supported
This is apparently because the Firmware on the particular YubiKey I had tested this with was too old. But using the other key type worked, even less secure and ideally recommended (if you have a newer YubiKey):
$ ssh-keygen -t ecdsa-sk Generating public/private ecdsa-sk key pair. You may need to touch your authenticator to authorize key generation. Enter file in which to save the key (/var/home/vorburger/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/home/vorburger/.ssh/id_ecdsa_sk Your public key has been saved in /var/home/vorburger/.ssh/id_ecdsa_sk.pub The key fingerprint is: SHA256:nwf4+ba...VM vorburger@silverblue The key's randomart image is: +-[ECDSA-SK 256]--+ (...) +----[SHA256]-----+
Copying the generated
.ssh/id_ecdsa_sk.pub (which starts with
to another a machine let me SSH to it, with the usual touch operation on the YubiKey to confirm.