U2F support in OpenSSH HEAD

Damien Miller djm at mindrot.org
Fri Nov 15 16:10:32 AEDT 2019

On Fri, 15 Nov 2019, Damien Miller wrote:

> On Fri, 1 Nov 2019, Damien Miller wrote:
> > Hi,
> > 
> > As of this morning, OpenSSH now has experimental U2F/FIDO support, with
> > U2F being added as a new key type "sk-ecdsa-sha2-nistp256 at openssh.com"
> > or "ecdsa-sk" for short (the "sk" stands for "security key").
> An update on this: I've just committed internal support for U2F/FIDO2
> security keys to OpenSSH. If ./configure can find a compatible libfido2
> then it will be used automatically, with no additional configuration
> required in OpenSSH tools. You should use libfido2 HEAD for now until
> they make their next release.
> Practically, this means that you can just run "ssh-keygen -t ecdsa-sk"
> and it will work without fiddling with middleware binaries, etc.
> Please give this a try - security key support is a substantial change and
> it really needs testing ahead of the next release.

One more note: you'll need to pass --with-security-key-builtin to
configure to enable the built-in security key support. If it finds
the libraries that it depends on then you should see something like:

         U2F/FIDO support: built-in

In configure's final summary.


More information about the openssh-unix-dev mailing list