HOWTO: Key Creation / SSH / FIDO2

Nitrokeys FIDO2 / Nitrokey 3
1

HOWTO: KEY CREATION / SSH / FIDO2

Make sure nitropy works as intended. If that is the case yo can use the following script with key-name as only argument:

#!/usr/bin/env bash
set -uo pipefail
name="$1"
ssh-keygen \
    -t ed25519-sk \
    -O resident \
    -O verify-required \
    -O "application=ssh:$name" \
    -f "$HOME/.ssh/id_ed25519_sk_nk3_$name" \
    -C "nk3_$name"
  • omit resident if you do not want to have the “key stub” stored on the nitrokey - this is more secure but less convenient as you can not use ssh-keygen -K to create a local copy of the stub.
  • you can symlink the 2 created files to id_ed25519_sk/id_ed25519_sk.pub, use ssh with the -i flag or use IdentityFile ~/.ssh/id_ed25519_sk_nk3_<name> in ~/.ssh/config
  • to check the correct creation of the slot on the stick call nitropy fido2 list-credentials
1 Like
2

Thanks for the example.
I have a question for the developers, about the user field in the list of ssh resident keys?

I generate key it like this:
ssh-keygen -t ed25519-sk -C test@mykey -O resident -O application=ssh:test.dev -O user=testnet

Now it is always in the openssh value:

dzp8d _06-26_10-30-58
dzp8d _06-26_10-30-582858×840 189 KB

I read the man page for ssh-keygen (FIDO AUTHENTICATOR section) and there is a user parameter:

user    A username to be associated with a resident key, overriding the empty default username. 
        Specifying a username may be useful when generating multiple resident keys for the same application name.

But it is not transmitted and does not overwrite the default value. Is this intended or a bug? or did I misunderstand something?

1 Like