ssh-keygen and multiple resident keys on a FIDO device

David Härdeman david at
Mon Aug 9 00:10:54 AEST 2021

August 8, 2021 3:52 PM, "David Härdeman" <david at> wrote:
> I'm using a Yubikey 5 NFC key to store two resident keys at the moment, and using "ssh-keygen -K"
> to download them to a host is not a very ergonomic experience at the moment (I've tried with
> OpenSSH 8.4p1-5 in Debian Unstable, I've also read the changelogs of 8.5 and 8.6 but seen no hint
> that this behavior has changed in later versions).
> a) ssh-keygen -K wants to overwrite the first key with the second key rather than using an
> alternative path (or prompting the user to provide an alternative path)
> b) unless a custom application string has been set when the keys were created, it is not easy to
> distinguish the two keys that are downloaded from the security key and written to the current
> directory, it would perhaps be better if the pubkeys would include the username (passed with "-O
> user=foobar" when the keys were initially created) in the comment field?

Ok, now I've tested with two keys generated with different "-O application=" values ("-O application=ssh:userA", "-O application=ssh:userB"), and the user experience is much better.

Keys get written out with different suffixes and the userA/userB part gets included in the *.pub file comments. Perhaps this should be clarified in the man page...but I still think the "-O user=*" input should also be reflected in the files created by "ssh-keygen -K".

More information about the openssh-unix-dev mailing list