SSH YubiKey guide
SSH Key type ed25519-sk (and ecdsa-sk)⌗
Today I noticed by coincidence that (recent versions of;
e.g. the one available on Fedora Silverblue 34) ssh-keygen
have ed25519-sk (and ecdsa-sk) key types (-t).
Never having seen these before, I wondered what they were for…
It is explained e.g. on https://security.stackexchange.com/questions/240991/what-is-the-sk-ending-for-ssh-key-types, and in the chapter “FIDO/U2F Support” on https://www.openssh.com/txt/release-8.2.
This is very nice, as it much simplifies the much too complicated old ways of using gpg-agent to SSH with a YubiKey.
I tried generating such a new type of SSH key with my YubiKey. At first it failed:
$ ssh-keygen -t ed25519-sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: requested feature not supported
This is apparently because the Firmware on the particular YubiKey I had tested this with was too old. But using the other key type worked, even less secure and ideally recommended (if you have a newer YubiKey):
$ ssh-keygen -t ecdsa-sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter file in which to save the key (/var/home/vorburger/.ssh/id_ecdsa_sk):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /var/home/vorburger/.ssh/id_ecdsa_sk
Your public key has been saved in /var/home/vorburger/.ssh/id_ecdsa_sk.pub
The key fingerprint is: SHA256:nwf4+ba...VM vorburger@silverblue
The key's randomart image is:
+-[ECDSA-SK 256]--+
(...)
+----[SHA256]-----+
Copying the generated .ssh/id_ecdsa_sk.pub (which starts with sk-ecdsa-sha2-nistp256@openssh.com)
to another a machine let me SSH to it, with the usual touch operation on the YubiKey to confirm.
The ecdsa-sk have only 192 Key Length, which according e.g. this or this is too short, also this recommends against ecdsa in general.
These keys also work on GitHub! (Since May 2021, see yubico’s announcement, GitHub’s blog, GitHub’s doc.)