A common application of security keys is as a hardware-backed SSH key. I have lately been curious as to whether it would be possible to use one as an SSH host key. It seems like it should be straightforward enough, it’s just another SSH key after all, if it works as a client identity key, why wouldn’t it work as a host key?
So I had a mess around with this, but haven’t been able to get it to work. Using sudo ssh-keygen -t ed25519-sk -O no-touch-required (or with -O resident as well) just ends up with the connection being refused and the auth log showing sshd: no hostkeys available -- exiting.
I had a look at the source for OpenSSH, but after 10 minutes of digging can find no indication of why it would cosider this to not be an ED25519_SK key, which the code explicitly accepts as a host key.
If anyone has any ideas for what is going wrong or has better luck, I would love to hear the details.
(Posted in selfhosted because this is the most prominent community that talks about ssh I can find, somewhat unsurprisingly)
Yeah, the rough idea is to use any old FIDO2 key as a USB HSM. Not necessarily looking for a very practical solution (the easy fix would be to just encrypt the drive), but curious. What inspired this, though not necessarily the final application, is Nix secret distribution tools that use the host key as the secret recipient. This means that theoretically if you have the host identity tied to an external HSM or similar you could have the same image deploy as different machines based on what security key you have plugged in.
Fair enough;
Do a dry run for a CLIENT key, make sure you have the libfido2 middleware installed and working; Ensure you have set your sshd_config file properly with no-touch-required
From the documentation " Note: not all tokens support disabling the touch requirement." so do a test client side before banging your head on it.
FYI I got it working, please see the update above.
Got the client working (mostly) without issues again, though trying to imitate my process for host keys as closely as possible I did encounter some weirdness that led me to this open bug: https://bugzilla.mindrot.org/show_bug.cgi?id=3355 So that may be the source of my issues… If they keys I was using suddenly were secretly requiring touch, it would explain a lot. I can’t right now but I will do another experiment with host keys when I can. Still would love to see if anyone else is able to reproduce this behaviour or get it working.
I previously have had no issues using this as a client key, but honestly I wouldn’t put it past myself to have picked the wrong key and not noticed. Maybe I will give it another try, but I don’t think that’s it.