OpenSSH support for FIDO RSA keys

James Bottomley James.Bottomley at
Thu Aug 26 04:26:40 AEST 2021

On Thu, 2021-08-19 at 11:25 +0200, Jan Schermer wrote:
> Hello,
> I would like to deploy FIDO for SSH. I wanted to leverage Windows
> Hello on Windows clients as FIDO backend (so that I don’t have to buy
> hw tokens for everyone and for convenience), but evidently my TPM
> flavor doesn’t support ECDSA, only RSA.

This likely means you have TPM 1.2

> Would it be possible to extend OpenSSH support to include “rsa-sk”
> keys?
> Not sure what the process is, but could development of it be
> sponsored?

The FIDO standard requires ECDSA keys (mainly, I suspect, because some
of the space constraints in the protocol are too small for RSA) so I
don't believe, even if you hacked the standard to support RSA keys,
that it would work in practice.

I'd strongly suggest you find a TPM 2.0 system, or simply use a FIDO
token via a non-TPM emulator to get ECDSA keys.


More information about the openssh-unix-dev mailing list