U2F support in OpenSSH HEAD

Damien Miller djm at mindrot.org
Fri Nov 15 10:26:33 AEDT 2019

On Fri, 1 Nov 2019, Damien Miller wrote:

> Hi,
> As of this morning, OpenSSH now has experimental U2F/FIDO support, with
> U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com"
> or "ecdsa-sk" for short (the "sk" stands for "security key").

An update on this: I've just committed internal support for U2F/FIDO2
security keys to OpenSSH. If ./configure can find a compatible libfido2
then it will be used automatically, with no additional configuration
required in OpenSSH tools. You should use libfido2 HEAD for now until
they make their next release.

Practically, this means that you can just run "ssh-keygen -t ecdsa-sk"
and it will work without fiddling with middleware binaries, etc.

Please give this a try - security key support is a substantial change and
it really needs testing ahead of the next release.


More information about the openssh-unix-dev mailing list