Recently OpenSSH released a new build with FIDO support, so I’ve decided to give it a try as owner of YubiKey NEO and YubiKey 4.
Sadly while trying it for the first time after release I couldn’t make it work because
libfido2 library wasn’t bundled and had to be compiled from source. I’ve had a lot of issues while trying to build it myself on macOS - so I gave up after seeing that homebrew team is already working on a solution with bundled
Week has passed and.. it was finally done, so I’ve decided to give it another try: https://github.com/Homebrew/homebrew-core/commit/e19d50dcd21ab60442730da680f85b3f5fb24292
OpenSSH with FIDO support was released for homebrew (with bundled and built
libfido2) allowing for easy install on macOS.
Setup was really easy:
brew install openssh
echo 'export PATH=/usr/local/bin:$PATH' >> ~/.bashrc(switches to brew-installed openssh instead of using system-bundled one)
- connect your FIDO key to USB port
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
- it will ask you to touch your key, please do
- you’re all set!
Remember to generate secondary, separate ssh key for your secondary, backup FIDO key. Your FIDO key will have to be inserted when you will want to use your SSH key.
I’ve also decided to give secondary added format a try, which is
➜ ~ ssh-keygen -t ed25519-sk -f ~/.ssh/ed25519_sk Generating public/private ed25519-sk key pair. You may need to touch your authenticator to authorize key generation. Key enrollment failed: invalid format
As you can see, it failed with
invalid format error while generating.
Not sure what it means, but it seems that OpenSSH FIDO support is not stable and mature enough yet and it’s current use cases are very limited (for me, GitHub and GitLab support is the most important). Separate certificate format will also increase a time needed for adoption.
I’m going to give it another try, in future, for sure.. but I’m leaving it for now waiting for more adoption.