Create ssh secret key

T.L.7Gadi · January 11, 2024, 7:16pm

Hello!
I read about creating a ssh key directly on a hardware key like
described Generating a new SSH key and adding it to the ssh-agent - GitHub Enterprise Cloud Docs.

Did anyone successfully run this line
ssh-keygen -t ed25519 -C "your_email@example.com"
?
For me this is not working.

I get

You may need to touch your authenticator to authorize key generation.
No FIDO SecurityKeyProvider specified
Key enrollment failed: invalid format

The key is not blinking either.
regards
T.L.

monwarez · January 12, 2024, 9:21am

Last time I did it, I opted to use a resident keys since it wasn’t working with non discoverable credential.

ssh-keygen -t ed25519-sk -O resident

This allow you with the knowledge of the pin and the key to use it on any computer without having to transfer any files.

T.L.7Gadi · October 31, 2024, 5:04pm

Hello @monwarez
Thanks!

So If I use the resident option the key file is stored entirely on the nk3?
So I can’t use this for an application where I have to post the public key part?

Regards

T.L.

monwarez · November 3, 2024, 7:59pm

With the resident option, a part of the key can be retrieved later on.

On the system where you generated the key, you will have the public key and a part of the private key. The other part is stored inside the hardware key.

When you use another computer, you can retrieve the previous part of the private key and the public key.

See OpenSSH Release logs: https://www.openssh.com/txt/release-8.2

FIDO/U2F OpenSSH keys consist of two parts: a “key handle” part stored
in the private key file on disk, and a per-device private key that is
unique to each FIDO/U2F token and that cannot be exported from the
token hardware. These are combined by the hardware at authentication
time to derive the real key that is used to sign authentication
challenges.

For tokens that are required to move between computers, it can be
cumbersome to have to move the private key file first. To avoid this
requirement, tokens implementing the newer FIDO2 standard support
“resident keys”, where it is possible to effectively retrieve the key
handle part of the key from the hardware.

OpenSSH supports this feature, allowing resident keys to be generated
using the ssh-keygen(1) “-O resident” flag. This will produce a
public/private key pair as usual, but it will be possible to retrieve
the private key part from the token later. This may be done using
“ssh-keygen -K”, which will download all available resident keys from
the tokens attached to the host and write public/private key files
for them. It is also possible to download and add resident keys
directly to ssh-agent(1) without writing files to the file-system
using “ssh-add -K”.

nku · November 3, 2024, 8:08pm

I treat FIDO2 ssh keys as temporary keys for day to day use that I recreate when I have a new workstation. As you can add multiple keys to authorized keys file I have a backup in place to exchange the ssh keys if required.