Using FIDO2 SSH with Nitrokey 3


I am interested in using the Nitrokey 3c NFC as a part of my workflow. That said, I am a bit confused about the FIDO2 SSH part.

The guide on the web, if I understand correctly, results in the key being generated on the Nitrokey itself, correct? This would mean, that there is no possible way of backing it up or at least copying it onto a second Nitrokey, which could just reside in a safe to protect one from losing access when the original one is lost.

Also how would one go about using the key for signing GIT commits or pushing them to Github?

What is the recommended workflow here?

Yes, correct. Be it either a “resident credential” or “non-resident credential”.

Site note: When generating i.e. an ed25519-sk key you have two choices: either as a “non-resident credential” or as “resident credential”.
With a “non-resident credential” you have to move the (so called) key handle file manually to each computer where you want to use your FIDO2 (non-resident) SSH credential.
With a “resident credential” on the other hand, you are able to export the key handle from the FIDO2 (using ssh-keygen -K), so the FIDO2 SSH Token can be used everywhere. Even this key handle “looks” like kind-of a private key, it is not private. A 3rd-party can get access to this file, but can not do anything with it as long as the 3rd-party also do not have your SK and maybe even your FIDO2 PIN.
For ease of use, I would personally prefer a “resident credential”.

But, nobody prevents you from using a second Nitrokey (or any other SK) and generate a second FIDO2 SSH Token, and adding this to authorized_keys, too. (Or going further an setup an SSH CA, and get a Certificate for your FIDO2 SSH Token(s)…)

Just configure this (FIDO2) SSH (Token) Key the same way as a “usual one”? See i.e.
Using an -sk key is no different then using other key types.

1 Like

The Nitrokey 3 also contains a OpenPGP application now that can also be used for the same usecases.

Not quite. Fido2 ssh tokens are not pgp auth keys which are not piv x509 certs which can also be used for ssh.
The OP asked about fido2 token.

Thank you for making things clear. I appreciate it!


Btw. If you reply directly to a post the post author gets notified… On a thread it’s not by default.