2. OpenSSH command for Yubkey FIDO2

Unfortunately, Windows 11 does not currently support FIDO2 enrollment.

FIDO2 (with ed25519-sk) is a simple way to protect your keys and is simple to enroll. Unfortunately, not all Yubikeys support FIDO2. In that case, you might be able to use your Yubikey like a "Smartcard" (PIV). Yubikey/Smartcard takes more steps but is not that difficult. Please see:

MacOS: https://docs.k9.io/key9-documentation/macos-yubikey-smartcard-piv-instructions.

Windows: https://docs.k9.io/key9-documentation/windows-yubikey-smartcard-piv-instructions

First, make sure your Yubikey is PIN-protected. If it is not PIN protected, do that first:

https://docs.k9.io/key9-documentation/setting-a-yubikey-pin-without-yubikey-software.docs.k9.io

If your Yubikey is PIN-protected, run the following command to sign a new private key with your Yubikey.

$ ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:key9.dev

Previous1. Prerequisites Next3. Enrolling your public key to Key9

Last updated 1 year ago