I’m a big fan of using hardware keys to secure important services, since they are even more secure that OTP tokens.
If you are currently using a Yubikey (or similar) to secure services, you will be happy to hear that starting today, you can use your hardware key directly with OpenSSH in FIDO2/U2F mode. The relevant PR was just merged earlier today and it works as expected:
- Be sure to update or install the Homebrew
opensshpackage:$ brew upgrade openssh - Insert your hardware key
- Generate a new SSH key using:
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk - Find a new public/private key pair int
.ssh. The private key will have some content, but should be useless without the hardware key attached.
It also supports ed25519-sk as key type, but this was not supported on the Yubikey 5 I used.
For more details see the official OpenSSH release log.