A common application of security keys is as a hardware-backed SSH key. I have lately been curious as to whether it would be possible to use one as an SSH host key. It seems like it should be straightforward enough, it’s just another SSH key after all, if it works as a client identity key, why wouldn’t it work as a host key?
So I had a mess around with this, but haven’t been able to get it to work. Using sudo ssh-keygen -t ed25519-sk -O no-touch-required (or with -O resident as well) just ends up with the connection being refused and the auth log showing sshd: no hostkeys available -- exiting.
I had a look at the source for OpenSSH, but after 10 minutes of digging can find no indication of why it would cosider this to not be an ED25519_SK key, which the code explicitly accepts as a host key.
If anyone has any ideas for what is going wrong or has better luck, I would love to hear the details.
(Posted in selfhosted because this is the most prominent community that talks about ssh I can find, somewhat unsurprisingly)
You don’t want FIDO2 security tokens for that, use an OpenPGP applet (works with some Yubikeys and with many programmable smartcards). Much more practical for authenticating a server.
BTW we have a lot of cryptography experts in www.reddit.com/r/crypto (yes I know, I’m trying to get the community moved, I’ve been moderating it for a decade and it’s a slow process)
I am familiar with these alternatives. My experiment was specific in wanting FIDO2 and I ended up figuring out the issue. It was the intersection of a couple of weird behaviours that made debugging very confusing, but it works exactly as I expected it would once those are resolved. I guess we can consider this a proof of concept that you can indeed use FIDO2 tokens as an external SSH host key (though as I said below whether this is practically useful is another matter entirely).
Your workaround is precisely why I said “more practical”. Any updates to your tooling might break it because it’s not an expected usecase