Key9 Identity
  • Welcome To Key9 Identity
  • SSH
    • Installation & Setup
      • MacOS Yubikey Smartcard/PIV instructions.
        • 1. Installation of MacOS software
        • 2. Changing the Yubikey PIN.
        • 3. Generating Keys and Certificates for the Yubikey
        • 4. Enrolling the public key to Key9
        • 5. Testing and configuring SSH
      • Windows Yubikey Smartcard/PIV instructions
        • 1. Installation of Windows software.
        • 2. Getting the system ready for libykcs11.dll
        • 3. Adding libykcs11.dll to SSH configurations.
        • 4. Generating Keys and Certificates for the Yubikey
        • 5. Enrolling the public key to Key9
        • 6. Testing your SSH key.
      • OpenSSH with Yubikey / FIDO2 protected keys
        • 1. Prerequisites
        • 2. OpenSSH command for Yubkey FIDO2
        • 3. Enrolling your public key to Key9
        • 4. Testing your SSH key
      • Setting a Yubikey PIN without Yubikey software.
        • 1. Using Key9 "registration" to register a new Yubikey PIN.
        • 2. Using "webauthn.io" to register a new Yubikey PIN.
      • RSA Password Protected SSH Key
        • 1. Key9 Settings to allow RSA
        • 2. Generating RSA SSH Key
        • 3. Enrolling your public key to Key9
        • 4. Testing your SSH key
      • Determine your Yubikey Type
        • 1. Linux "lsusb" command
        • 2. MacOS "ioreg" command
        • 3. Windows 11
      • Useful External Links
      • Windows Powershell with Yubikey/FIDO2-protected SSH keys
        • 1. Download OpenSSH for Windows.
        • 2. Setting up your SSH keys
        • 3. Enrolling your public key to Key9
      • Technical Notes
        • Pop!_OS - "agent refused operation"
      • Key9 SSH for Debian 12 [Bookworm] Howto
        • 1. Installing GPG
        • 2. Configuring the Key9 Debian 12 Repo.
        • 3. Configuring the Key9 SSH client
        • 4. Configuring Name Service Switch [/etc/nsswitch.conf]
        • 5. Configuring the OpenSSH server
        • 6. Modifying "sudoers" [optional]
        • 7. Configuring "k9-tail" for logs [optional]
        • 8. Automatic home directory creation [optional]
  • Web
    • Marketplace Applications
      • Amazon Web Services
      • Atlassian Jira
      • Cyera
      • GitBook
      • Google Workspace
      • KnowBe4
      • LibreNMS
      • NetBox
      • SentinalOne
      • Wiz
Powered by GitBook
On this page
  1. SSH
  2. Installation & Setup
  3. OpenSSH with Yubikey / FIDO2 protected keys

2. OpenSSH command for Yubkey FIDO2

Unfortunately, Windows 11 does not currently support FIDO2 enrollment.

Previous1. PrerequisitesNext3. Enrolling your public key to Key9

Last updated 2 months ago

FIDO2 (with ed25519-sk) is a simple way to protect your keys and is simple to enroll. Unfortunately, not all Yubikeys support FIDO2. In that case, you might be able to use your Yubikey like a "Smartcard" (PIV). Yubikey/Smartcard takes more steps but is not that difficult. Please see:

MacOS:

Windows:

First, make sure your Yubikey is PIN-protected. If it is not PIN protected, do that first:

If your Yubikey is PIN-protected, run the following command to sign a new private key with your Yubikey.

$ ssh-keygen -t ed25519-sk -O resident -O verify-required -O application=ssh:key9.dev

https://docs.k9.io/key9-documentation/macos-yubikey-smartcard-piv-instructions.
https://docs.k9.io/key9-documentation/windows-yubikey-smartcard-piv-instructions
LogoSetting a Yubikey PIN without Yubikey software. | Key9 Documentation