A common application of security keys is as a hardware-backed SSH key. I have lately been curious as to whether it would be possible to use one as an SSH host key. It seems like it should be straightforward enough, it’s just another SSH key after all, if it works as a client identity key, why wouldn’t it work as a host key?

So I had a mess around with this, but haven’t been able to get it to work. Using sudo ssh-keygen -t ed25519-sk -O no-touch-required (or with -O resident as well) just ends up with the connection being refused and the auth log showing sshd: no hostkeys available -- exiting.

I had a look at the source for OpenSSH, but after 10 minutes of digging can find no indication of why it would cosider this to not be an ED25519_SK key, which the code explicitly accepts as a host key.

If anyone has any ideas for what is going wrong or has better luck, I would love to hear the details.

(Posted in selfhosted because this is the most prominent community that talks about ssh I can find, somewhat unsurprisingly)

  • xylogx@lemmy.worldEnglish
    0·
    4 days ago

    What type of key do you have. Yubikey 5 supports multiple protocols including some you can use with SSH:

    • Multi-protocol: YubiKey 5 Series is the most versatile security key supporting multiple authentication protocols including FIDO2/WebAuthn (hardware bound passkey), FIDO U2F, Yubico OTP, OATH-TOTP, OATH-HOTP, Smart card (PIV) and OpenPGP.

    SSH would need to implement webauthn to support FIDO.

    • xylogx@lemmy.worldEnglish
      0·
      4 days ago

      Looks like this happened:

      OpenSSH server has had built-in support for WebAuthn keys since 8.2.