Nitrokey as 2FA for openssh 8.2 remote login


I’d like to use a Nitrokey FIDO2 as a 2FA for a remote ssh login. According to the new openssh 8.2 specification:

FIDO/U2F OpenSSH keys consist of two parts: a “key handle” part stored in the private key file on disk, and a per-device private key that is unique to each FIDO/U2F token and that cannot be exported from the
token hardware.

So the Stick should support the feature to store resident keys in order to save the “key handle” otherwise it’d have to be copied to each client, right? Does the Nitrokey FIDO2 support it?

Another useful feature from the specification:

ssh-keygen(1): add a “no-touch-required” option when generating
FIDO-hosted keys, that disables their default behaviour of
requiring a physical touch/tap on the token during authentication.

Does the Nitrokey FIDO2 support this?

Kind Regards


we didn’t test this new feature of OpenSSH ourselves yet, but yes, in general this should work just fine with the FIDO2.

Kind regards

AFAIK OpenSSH requires certain features of FIDO2 devices which we don’t support yet and will most likely be introduced in the next firmware update. But we didn’t test it yet.