Table of contents
Yes. Theis FIDO2 Security key support ED25519 SSH keys for secure authentication and encryption.

Here’s a refined and professionally structured version of your instructions for configuring the SSH client and server with FIDO2 security keys:

🔐 Configuring the SSH Client with a Security Key

Linux

  1. Insert your security key.

  2. Open a terminal.

  3. Generate the SSH credentials:

    ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

  4. When prompted, enter your PIN and touch the security key.

  5. Save the generated files (id_ed25519_sk and id_ed25519_sk.pub) to the ~/.ssh directory.

macOS

  1. Install OpenSSH via Homebrew if needed:

    brew install openssh
source ~/.profile

  2. Insert your security key.

  3. Open a terminal and generate the SSH credentials:

    sudo ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

  4. When prompted, enter your PIN and touch the key.

  5. Save the files to your ~/.ssh directory.

Windows 10/11

  1. Ensure OpenSSH is installed. See Microsoft's guide.

  2. Insert your security key.

  3. Open PowerShell as Administrator and run:

    ssh-keygen -t ed25519-sk -O resident -O verify-required -C "Your Comment"

  4. Enter your PIN and touch the key when prompted.

  5. Save the credential files in your ~/.ssh directory.

🔄 Configuring Additional SSH Clients

To use the security key on another system:

  1. Insert the key and open a terminal.

  2. Navigate to your SSH directory:

    cd ~/.ssh

  3. Regenerate the key files from the security key:

    ssh-keygen -K

🛠️ Configuring the SSH Server

To enforce FIDO2 user verification:

  1. Edit the SSH server config file (commonly found at /etc/ssh/sshd_config).

  2. Add or update the following line:

    PubkeyAuthOptions verify-required

  3. Save and exit the file.

  4. Restart the SSH service:

    sudo systemctl restart sshd

🔒 Optional: Hardened sshd_config Example

# Enable public key authentication (includes FIDO2)
PubkeyAuthentication yes

# Require FIDO2 user verification (PIN + touch)
PubkeyAuthOptions verify-required

# Location of authorized public keys
AuthorizedKeysFile .ssh/authorized_keys

# Restrict root login to MFA only
PermitRootLogin prohibit-password

# Disable password-based authentication
PasswordAuthentication no
PermitEmptyPasswords no