Using ssh-keygen to Create FIDO2/SK Keys for Access to OpenSSH Linux Servers
The article shows the relevant options of the ssh-keygen command (e.g. -O verify-required) to create FIDO2/Yubikey keys to login to a Linux account via ZOC Terminal or OpenSSH.Table of Contents
- Introduction
- Prerequisites
- Commandline Tools and Platform Issues
- Creating an OpenSSH SK/FIDO2 Key using Commandline Tools
- Why ZOC Terminal is an Excellent Alternative for these Tasks Compared to PuTTY
Introduction
Since OpenSSH version 8.3 SSH servers support public/private key logins based on FIDO2 hardware keys like Yubikey 5-NFC or Yubikey BIO (Fido).
This article will show how to use the ssh-keygen command to create a FIDO2/Yubikey
based key pair. It will also discuss platform issues that may arise with the use of the
ssh-keygen command on macOS and Windows.
Prerequisites
Obviously you will need a FIDO2 compatible hardware token and the token will need to be enabled for use with the FIDO protocol. For brevity we will use the popular Yubikeys as an example, but the procedure will be similar for other brands.
If you have not decided on a brand yet, a Yubikey 5 NFC is a good starting point. Choose the USB-A or USB-C model, depening which type of port is most readily available and within easy reach on your computer. Consider that you will need to physically see and touch the key often. Plugging it into the back of a PC under your desk will therefore not be ideal.
If you have a Yubikey, but have not initialized it already, you need to prepare the Yubikey for use with the FIDO2 protocol. In most cases it will require you to just configure a PIN that protects the key, but for some models, like the Yubikey BIO you will also register your fingerprint:
- Download either Yubikey-Authenticator and install it.
- Start the Yubikey-Authenticator or Yubikey-Manager (under Windows you will need to start it via right-click→As Administrator).
- Depending on the type of key select Applications→FIDO and set a PIN (or even a fingerprint).
Commandline Tools and Platform Issues
The standard way to create a key for Linux-login, is using the OpenSSH commandline
tool ssh-keygen.
However, depending on the various operating systems, has actually turned into little mess around the question if the program actually supports FIDO keys (or in OpenSSH parlance, if it has sk-support).
macOS
The ssh-keygen tool that comes preinstalled with macOS does not support FIDO2 keys. This means
that you will need a special build. You can do a Homebrew build for OpenSSH and use the ssh-keygen
from that (see this article). Alternately, if you have ZOC
Terminal installed, ZOC v9 offers a version of ssh-keygen which includes sk-support. In that
case use /Applications/zoc9.app/Contents/MacOS/zoc-ssh-keygen instead of ssh-keygen
(alternately ZOC also offers a GUI version where you can create such keys from a
SSH Key-Generation Window).
Windows
Under Windows, the FIDO2 (WinHello) system, does not support some of the functions that are
required to properly run ssh-keygen.
The Microsoft implementation of ssh-keygen under
Windows 10/11 tried to work around some of these limitation in a half-baked way, which may
create some unexpected results. However, if you have ZOC Terminal installed, ZOC offers a
ssh-keygen version that tries to work around the Windows-Hello limitations in a more obvious
way. In that case, use C:\Program Files\ZOC9\zoc-ssh-keygen.exe instead of just ssh-keygen.
Alternately ZOC also offers a GUI version where you can create such keys from a
SSH Key-Generation Window.
Unfortunately some limitations are within the Windows platform's implementation of FIDO. For
example, the ssh-keygen -K command to rebuild resident keys will not work under Windows.
Likewise when creating a resident key, Windows can not check for it's existence in order to
avoid accidentally overwriting the key.
Linux
Under Linux you will need an OpenSSH build that includes sk-support, which pretty much includes all major Linux distributions.
Creating an OpenSSH SK/FIDO2 Key using Commandline Tools
The simplest form of creating an OpenSSH key file that is based on the FIDO2 token and/or Yubikey is:
ssh-keygen -t ecdsa-sk
or alternately use the ZOC variants mentioned above:
macOS: /Applications/zoc9.app/Contents/MacOS/zoc-ssh-keygen -t ecdsa-sk
Windows: C:\Program Files\ZOC9\zoc-ssh-keygen.exe -t ecdsa-sk
This will generate a key non-resident, non verify-required key with the application ssh: and no
user_id (see below for these options).
Commandline Parameters for 'ssh-keygen'
You can also apply additional parameters:
- -O verify-required (using the key will require entry of the PIN)
- -O no-touch-required (key will not require to be touched when used -- not supported under Windows)
- -O application=ssh:<application> (supply a string to indicate what the key is used for and discern it from other keys, especially resident keys)
- -O user=<user_id> (supply an user_id associated with the key, instead of the "openssh" default)
- -O resident (create a key that resides on and can be recreated from the token)
- -C "Your Comment" (add a comment to the public key file)
For example, to create a key that resides on the token and requires PIN-entry and touch when used, the command would be:
ssh-keygen -t ecdsa-sk -O resident -O verify-required -O application=ssh:myserver -C "FIDO key for myserver with veryfiy-required"
On macOS and Linux the generated key-files will be placed in your ~/.ssh folder. Under
Windows, you may have to copy them to the SSH folder of your SSH client application.
For example, in case of ZOC Terminal, you need to copy them to your
Documents→ZOC9 Files→ssh folder.
Why ZOC Terminal is an Excellent Alternative for these Tasks Compared to PuTTY
You can perform the above keys can be used with with a free SSH client like PuTTY
as well, but as you saw, ZOC Terminal provides enhanced versions of ssh-keygen
that will work under difficult circumstances.
And while PuTTY is a reasonable choice for to access Linux shells every now and then, ZOC Terminal is designed for ease of use and effectiveness day in and day out. It offers impressive features that save you a lot time when performing routine tasks.
For example, as you see in another article (SSH Key-Generation Window), creating the key-pair and obtaining the public key takes only a matter of seconds (about 10 mouse clicks).
Connecting to your Linux system through the Quick Connect window is also very easy. If you log off and then realize you forgot something and want to connect again, you can simply press Alt+R in the disconnected tab. Alternatively, go to the Quick Connection window again and click Connect, so you are reconnected with just two mouse clicks.
For file uploads, you can upload files to your server merely by dragging them from the desktop into the ZOC terminal area.
If you are building multiple instances, you can save them from the Quick Connection window to the Host Directory. From there, you can even connect to multiple instances at once (each will then open in a separate tab).
These are just a few examples that demonstrate how using a professional ssh client like ZOC can save valuable time compared to free tools like PuTTY (which admittedly does cover the essentials quite well).
Conclusion: Using ZOC Terminal to performe routine terminal tasks with ease saves time and it also is more fun!