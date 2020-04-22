OpenSSH is on a roll. In February, OpenSSH 8.2 introduced first-class support for FIDO2 (née U2F) security keys, making hardware backed keys accessible for less than $20.

This is not some complicated PAM setup, or some janky cryptographic trick, but a proper public key type, where the private key is protected by the hardware token.1 And it just works out of the box for USB security keys! No more tedious and unreliable gpg-agent setups, PKCS#11, or third-party agents.

I’m a big fan of hardware tokens because they allow a few things you can’t do with just software cryptography: compromise recovery, because an attacker can’t exfiltrate the key from the hardware to use it after losing access to it; explicit consent, where the user has to physically allow each operation by e.g. tapping the key; and short PINs that can’t be bruteforced, because the retry counters or delays are enforced in hardware.

Let’s cut to the chase, here’s how you generate an SSH key backed by your security key: [...]