Recently OpenSSH released a new build with FIDO support, so I’ve decided to give it a try as owner of YubiKey NEO and YubiKey 4.

Sadly while trying it for the first time after release I couldn’t make it work because libfido2 library wasn’t bundled and had to be compiled from source. I’ve had a lot of issues while trying to build it myself on macOS - so I gave up after seeing that homebrew team is already working on a solution with bundled libfido2.

Week has passed and.. it was finally done, so I’ve decided to give it another try: https://github.com/Homebrew/homebrew-core/commit/e19d50dcd21ab60442730da680f85b3f5fb24292

OpenSSH with FIDO support was released for homebrew (with bundled and built libfido2) allowing for easy install on macOS.

Setup was really easy:

  1. run brew install openssh
  2. run echo 'export PATH=/usr/local/bin:$PATH' >> ~/.bashrc (switches to brew-installed openssh instead of using system-bundled one)
  3. connect your FIDO key to USB port
  4. run ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
  5. it will ask you to touch your key, please do
  6. you’re all set!

Remember to generate secondary, separate ssh key for your secondary, backup FIDO key. Your FIDO key will have to be inserted when you will want to use your SSH key.

To my surprise it came out that ecdsa-sk format is not yet supported neither by GitHub.com, neither by GitLab.com.

I’ve also decided to give secondary added format a try, which is ed25519-sk:

➜  ~ ssh-keygen -t ed25519-sk -f ~/.ssh/ed25519_sk
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: invalid format

As you can see, it failed with invalid format error while generating.

Not sure what it means, but it seems that OpenSSH FIDO support is not stable and mature enough yet and it’s current use cases are very limited (for me, GitHub and GitLab support is the most important). Separate certificate format will also increase a time needed for adoption.

I’m going to give it another try, in future, for sure.. but I’m leaving it for now waiting for more adoption.